After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 644139 - Evolution 2.32.2 crashes parsing utf-8 stuff when presented with certain types of spam
Evolution 2.32.2 crashes parsing utf-8 stuff when presented with certain type...
Status: RESOLVED DUPLICATE of bug 644099
Product: evolution
Classification: Applications
Component: Mailer
2.32.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2011-03-07 17:14 UTC by Alex Buell
Modified: 2011-03-07 17:24 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Test case that reproduces the crash (5.90 KB, text/plain)
2011-03-07 17:15 UTC, Alex Buell 		Details

Description Alex Buell 2011-03-07 17:14:10 UTC 
Evolution 2.32.2 will crash if someone passes an invalid header of the message to it. I have attached a test case for this that reproduces the crash every time!

Stack-trace:

0xb725871b in g_variant_is_trusted (value=0x0) at gvariant-core.c:599
599	gvariant-core.c: No such file or directory.
	in gvariant-core.c
(gdb) bt

+ Trace 226220

  • #0 g_variant_is_trusted
    at gvariant-core.c line 599
  • #1 g_variant_builder_add_value
    at gvariant.c line 2932
  • #2 g_variant_valist_new
    at gvariant.c line 3928
  • #3 g_variant_new_va
  • #4 g_variant_new
  • #5 e_gdbus_book_call_get_contact_list_sync
  • #6 e_book_get_contacts
    at e-book.c line 2006
  • #7 search_address_in_addressbooks
    at em-utils.c line 1813
  • #8 em_utils_in_addressbook
    at em-utils.c line 1885
  • #9 lookup_addressbook
    at mail-session.c line 444
  • #10 camel_session_lookup_addressbook
    at camel-session.c line 718
  • #11 junk_test
    at camel-filter-search.c line 668
  • #12 e_sexp_term_eval
    at e-sexp.c line 731
  • #13 e_sexp_eval
    at e-sexp.c line 1545
  • #14 camel_filter_search_match
  • #15 camel_filter_driver_filter_message
    at camel-filter-driver.c line 1548
  • #16 camel_filter_driver_filter_mbox
    at camel-filter-driver.c line 1289
  • #17 fetch_mail_exec
    at mail-ops.c line 271
  • #18 mail_msg_proxy
    at mail-mt.c line 469
  • #19 g_thread_pool_thread_proxy
    at gthreadpool.c line 319
  • #20 g_thread_create_proxy
    at gthread.c line 1897
  • #21 start_thread
    at pthread_create.c line 297
  • #22 clone
    at ../sysdeps/unix/sysv/linux/i386/clone.S line 133 


To me, it smells like someone was trying to do a buffer overflow attack, but this should not have crashed glib or evolution. Test case attached.
Comment 1 Alex Buell 2011-03-07 17:15:14 UTC 
Created attachment 182727 [details]
Test case that reproduces the crash
Comment 2 Fabio Durán Verdugo 2011-03-07 17:19:51 UTC 
Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 644099 ***
Comment 3 André Klapper 2011-03-07 17:24:31 UTC 
Fabio: Please don't dup reports without mentioning in the original ticket that there is a TESTCASE here.