After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 741434 - Use-after-free after error in GPG signature verification
Use-after-free after error in GPG signature verification
Status: RESOLVED FIXED
Product: evolution-data-server
Classification: Platform
Component: Mailer
3.12.x (obsolete)
Other All
: Normal normal
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
: 740187 741383 741983 742507 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2014-12-12 11:01 UTC by Debarshi Ray
Modified: 2015-01-07 22:12 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Debarshi Ray 2014-12-12 11:01:05 UTC 
Backtrace:

(gdb) thread apply all bt

+ Trace 234418

Thread 33 (Thread 0x7fff6dffb700 (LWP 5279))

  • #0 syscall
    at ../sysdeps/unix/sysv/linux/x86_64/syscall.S line 38
  • #1 g_cond_wait_until
    at gthread-posix.c line 1437
  • #2 g_async_queue_pop_intern_unlocked
    at gasyncqueue.c line 422
  • #3 g_async_queue_timeout_pop
    at gasyncqueue.c line 543
  • #4 g_thread_pool_thread_proxy
    at gthreadpool.c line 167
  • #5 g_thread_pool_thread_proxy
    at gthreadpool.c line 364
  • #6 g_thread_proxy
    at gthread.c line 764
  • #7 start_thread
    at pthread_create.c line 310
  • #8 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 109

Thread 29 (Thread 0x7fff7574e700 (LWP 5274))

  • #0 g_type_check_instance_is_fundamentally_a
    at gtype.c line 3982
  • #1 g_object_unref
    at gobject.c line 3067
  • #2 gpg_verify_sync
  • #3 camel_cipher_context_verify_sync
  • #4 empe_mp_signed_parse
    at e-mail-parser-multipart-signed.c line 129
  • #5 e_mail_parser_parse_part_as
    at e-mail-parser.c line 563
  • #6 e_mail_parser_parse_part
    at e-mail-parser.c line 508
  • #7 empe_mp_mixed_parse
    at e-mail-parser-multipart-mixed.c line 77
  • #8 e_mail_parser_parse_part_as
    at e-mail-parser.c line 563
  • #9 empe_message_parse
    at e-mail-parser-message.c line 91
  • #10 mail_parser_run
    at e-mail-parser.c line 127
  • #11 e_mail_parser_parse_sync
    at e-mail-parser.c line 349
  • #12 mail_reader_parse_message_run
    at e-mail-reader-utils.c line 2374
  • #13 run_in_thread
    at gsimpleasyncresult.c line 858
  • #14 io_job_thread
    at gioscheduler.c line 85
  • #15 g_task_thread_pool_thread
    at gtask.c line 1215
  • #16 g_thread_pool_thread_proxy
    at gthreadpool.c line 307
  • #17 g_thread_proxy
    at gthread.c line 764
  • #18 start_thread
    at pthread_create.c line 310
  • #19 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 109 


This is what I have:

rishi@kolache ~$ rpm -qa | grep evolution
evolution-debuginfo-3.12.8-1.fc21.x86_64
evolution-help-3.12.8-1.fc21.noarch
evolution-data-server-devel-3.12.8-2.fc21.x86_64
evolution-ews-3.12.8-1.fc21.x86_64
evolution-3.12.8-1.fc21.x86_64
evolution-data-server-3.12.8-2.fc21.x86_64
evolution-data-server-debuginfo-3.12.6-1.fc21.x86_64
rishi@kolache ~$ rpm -qa | grep webkitgtk
webkitgtk4-debuginfo-2.6.0-2.fc21.x86_64
webkitgtk3-devel-2.4.7-1.fc21.x86_64
webkitgtk3-2.4.7-1.fc21.x86_64
webkitgtk4-2.6.4-1.fc21.x86_64
webkitgtk4-devel-2.6.4-1.fc21.x86_64
webkitgtk-2.4.7-1.fc21.x86_64
webkitgtk4-doc-2.6.4-1.fc21.noarch
rishi@kolache ~$
Comment 1 Milan Crha 2014-12-12 13:09:23 UTC 
Updated backtrace with debuginfo from evolution-data-server:

+ Trace 234419

Thread 44 (Thread 0x7fff6effd700 (LWP 6381))

  • #0 g_type_check_instance_is_fundamentally_a
    at gtype.c line 3982
  • #1 g_object_unref
    at gobject.c line 3067
  • #2 gpg_verify_sync
    at camel-gpg-context.c line 1958
  • #3 camel_cipher_context_verify_sync
    at camel-cipher-context.c line 493
  • #4 empe_mp_signed_parse
    at e-mail-parser-multipart-signed.c line 129
  • #5 e_mail_parser_parse_part_as
    at e-mail-parser.c line 563
  • #6 e_mail_parser_parse_part
    at e-mail-parser.c line 508 






Comment 2


Milan Crha





          2014-12-12 13:15:00 UTC
        



Use-after-free, or actual double-free, of the istream variable, when the gpg call failed.

Created commit e46c53c in eds master (3.13.9+) [1]
Created commit 2347912 in eds evolution-data-server-3-12 (3.12.10+)

[1] https://git.gnome.org/browse/evolution-data-server/commit/?id=e46c53c






Comment 3


Milan Crha





          2015-01-07 10:52:03 UTC
        



*** Bug 740187 has been marked as a duplicate of this bug. ***






Comment 4


Milan Crha





          2015-01-07 15:00:03 UTC
        



*** Bug 741983 has been marked as a duplicate of this bug. ***






Comment 5


Milan Crha





          2015-01-07 15:00:35 UTC
        



*** Bug 742507 has been marked as a duplicate of this bug. ***






Comment 6


Milan Crha





          2015-01-07 22:12:19 UTC
        



*** Bug 741383 has been marked as a duplicate of this bug. ***