[Evolution] Bug#506373: evolution email crashes when receiving a specific invitation from Google Calendar
Cyrille Chépélov
cyrille at chepelov.org
Thu Nov 20 23:08:01 UTC 2008
Package: evolution
Version: 2.22.3.1-1
Severity: grave
Justification: security; strangers might DoS evolution causing a crash upon startup until other mail piles up.
When receiving a specific e-mail message containing a Google Calendar
invitation, Evolution crashes. It then crashes again at boot, when trying
again to display the last received (same) message.
The default character set might be set to either UTF-8 or ISO-8859-15; it is
unknown at this point whether the Google Calendar invite is exactly
well-formatted with respect to character encoding. What is known is that the
second-to-last character of the subject is a "lowercase eacute" (U+00E9) and
that there is also another such character in the middle of the subject
string. From looking at the way the stack trace from gdb ends up into an
UTF-8 aware gnome-terminal, it seems some mojibake issue might be at play.
libglib2.0-0 is the place of crash, for sure, but evolution (camel) proper
might as well be charged with insufficient disinfection of incoming remote
data (a definitive security risk)
I'll attach the stack trace here, very slightly edited to remove private
data (overstriking only ASCII characters with other ASCII characters)
-- Cyrille
------ stack dump
#0 0x00007f0c55b6ae30 in IA__g_markup_escape_text (
text=0x4887000 <Address 0x4887000 out of bounds>, length=76050432)
at /build/buildd/glib2.0-2.16.6/glib/gmarkup.c:1952
#1 0x00007f0c55b6c198 in IA__g_markup_vprintf_escaped (
format=<value optimized out>, args=<value optimized out>)
at /build/buildd/glib2.0-2.16.6/glib/gmarkup.c:2272
#2 0x00007f0c55b6c2fd in IA__g_markup_printf_escaped (
format=0x4564aa0 "\020p9C\f\177")
at /build/buildd/glib2.0-2.16.6/glib/gmarkup.c:2329
#3 0x00007f0c4af7aa39 in itip_view_set_summary (view=<value optimized out>,
summary=0x4557d80 "Concert Paris-Novembre (R�xx Vyyyy�)")
^^^ ^^^^^^^^^^^ ^^^^^ ^^^^^ ^^^^ ^^
(note the "unknown character" boxes here, should be
U+00E9 instead.)
at itip-view.c:597
#4 0x00007f0c4af73cdb in format_itip_object (efh=0x1dfe1c0,
eb=0x7f0c3d4ba6e0, pobject=<value optimized out>) at
#itip-formatter.c:2017
#5 0x00007f0c4fa4218f in efh_object_requested (html=<value optimized out>,
eb=0x7f0c3d4ba6e0, efh=0x1dfe1c0) at em-format-html.c:625
#6 0x00007f0c5bcca058 in html_g_cclosure_marshal_BOOLEAN__OBJECT (
closure=0x3d72780, return_value=0x7fff68ee8910,
n_param_values=<value optimized out>, param_values=0x7fff68ee8710,
invocation_hint=<value optimized out>, marshal_data=0x7f0c4fa42140)
at htmlmarshal.c:83
#7 0x00007f0c56001e9d in IA__g_closure_invoke (closure=0x3d72780,
return_value=0x7fff68ee8910, n_param_values=2,
param_values=0x7fff68ee8710, invocation_hint=0x7fff68ee8610)
at /build/buildd/glib2.0-2.16.6/gobject/gclosure.c:490
#8 0x00007f0c56014bfd in signal_emit_unlocked_R (node=0x3cb3040, detail=0,
instance=0x3cd87e0, emission_return=0x7fff68ee8910,
instance_and_params=0x7fff68ee8710)
at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2440
#9 0x00007f0c56015f71 in IA__g_signal_emit_valist (instance=0x3cd87e0,
signal_id=<value optimized out>, detail=0, var_args=0x7fff68ee8970)
at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2209
#10 0x00007f0c560165f3 in IA__g_signal_emit (instance=0x4564aa0,
#signal_id=1,
detail=3351806) at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2243
#11 0x00007f0c5bc8ab1e in html_engine_object_requested_cb (
engine=<value optimized out>, eb=0x7f0c3d4ba6e0, data=0x3cd87e0)
at gtkhtml.c:542
#12 0x00007f0c5bcca058 in html_g_cclosure_marshal_BOOLEAN__OBJECT (
closure=0x3d74e40, return_value=0x7fff68ee8ef0,
n_param_values=<value optimized out>, param_values=0x7fff68ee8cf0,
invocation_hint=<value optimized out>, marshal_data=0x7f0c5bc8aad0)
at htmlmarshal.c:83
#13 0x00007f0c56001e9d in IA__g_closure_invoke (closure=0x3d74e40,
return_value=0x7fff68ee8ef0, n_param_values=2,
param_values=0x7fff68ee8cf0, invocation_hint=0x7fff68ee8bf0)
at /build/buildd/glib2.0-2.16.6/gobject/gclosure.c:490
#14 0x00007f0c56014bfd in signal_emit_unlocked_R (node=0x3d67470, detail=0,
instance=0x3d8c080, emission_return=0x7fff68ee8ef0,
instance_and_params=0x7fff68ee8cf0)
at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2440
#15 0x00007f0c56015f71 in IA__g_signal_emit_valist (instance=0x3d8c080,
signal_id=<value optimized out>, detail=0, var_args=0x7fff68ee8f50)
at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2209
#16 0x00007f0c560165f3 in IA__g_signal_emit (instance=0x4564aa0,
#signal_id=1,
detail=3351806) at /build/buildd/glib2.0-2.16.6/gobject/gsignal.c:2243
#17 0x00007f0c5bcbabdf in element_parse_object (e=0x3d8c080, clue=0x454e070,
attr=<value optimized out>) at htmlengine.c:1531
#18 0x00007f0c5bcb8f50 in parse_one_token (e=0x3d8c080, clue=0x454e070,
str=0x45462b7 "object
#classid=\"itip:///.0x201f450.91052.mixed.0.alternative.2\">") at
htmlengine.c:3749
#19 0x00007f0c5bcc08ee in html_engine_timer_event (e=0x3d8c080)
at htmlengine.c:1347
#20 0x00007f0c5bcc0978 in html_engine_flush (e=0x3d8c080) at
htmlengine.c:6521
#21 0x00007f0c4fa493b9 in emhs_sync_flush (stream=<value optimized out>)
at em-html-stream.c:127
#22 0x00007f0c4fa573f0 in emss_process_message (msg=0x41461fd0)
at em-sync-stream.c:80
#23 0x00007f0c55b6678b in IA__g_main_context_dispatch (context=0x19f5610)
at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2012
#24 0x00007f0c55b69f5d in g_main_context_iterate (context=0x19f5610,
block=1,
dispatch=1, self=<value optimized out>)
at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2645
#25 0x00007f0c55b6a48d in IA__g_main_loop_run (loop=0x1a46510)
at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2853
#26 0x00007f0c5a60d336 in bonobo_main () from /usr/lib/libbonobo-2.so.0
#27 0x0000000000417af3 in main (argc=<value optimized out>,
argv=0x7fff68ee9468) at main.c:793
#28 0x00007f0c558031c4 in __libc_start_main () from /lib/libc.so.6
#29 0x000000000040af49 in _start ()
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (800, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages evolution depends on:
ii dbus 1.2.1-2 simple interprocess messaging syst
ii evolution-common 2.22.3.1-1 architecture independent files for
ii evolution-data-server 2.22.3-1.1 evolution database backend server
ii gconf2 2.22.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.22.0-1 GNOME Desktop icon theme
ii gtkhtml3.14 3.18.2-1 HTML rendering/editing library - b
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libbluetooth2 3.30-1 Library to use the BlueZ Linux Blu
ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.22.0-1 The Bonobo UI library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcairo2 1.6.4-1+b1 The Cairo 2D vector graphics libra
ii libcamel1.2-11 2.22.3-1 The Evolution MIME message handlin
ii libdbus-1-3 1.2.1-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libebook1.2-9 2.22.3-1 Client library for evolution addre
ii libecal1.2-7 2.22.3-1 Client library for evolution calen
ii libedataserver1.2-9 2.22.3-1 Utility library for evolution data
ii libedataserverui1.2-8 2.22.3-1 GUI utility library for evolution
ii libegroupwise1.2-13 2.22.3-1 Client library for accessing group
ii libexchange-storage1.2 2.22.3-1 Client library for accessing Excha
ii libfontconfig1 2.5.0-2 generic font configuration library
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.2-1 library to load .glade files at ru
ii libglib2.0-0 2.16.6-1 The GLib library of C routines
ii libgnome-pilot2 2.0.15-2.4 Support libraries for gnome-pilot
ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.20.1.1-1 A powerful object-oriented display
ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.22.0-3 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.9-3 The GTK+ graphical user interface
ii libgtkhtml3.14-19 3.18.3-1 HTML rendering/editing library - r
ii libhal1 0.5.11-1 Hardware Abstraction Layer - share
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libldap-2.4-2 2.4.7-5 OpenLDAP libraries
ii libnm-glib0 0.6.6-1 network management framework (GLib
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libnspr4-0d 4.7.1-3 NetScape Portable Runtime Library
ii libnss3-1d 3.12.0~rc3-3 Network Security Service libraries
ii liborbit2 1:2.14.13-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.20.3-1 Layout and rendering of internatio
ii libpisock9 0.12.3-4+b1 library for communicating with a P
ii libpisync1 0.12.3-4+b1 synchronization library for PalmOS
ii libpixman-1-0 0.10.0-2 pixel-manipulation library for X a
ii libpng12-0 1.2.27-1 PNG library - runtime
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libsoup2.4-1 2.4.1-1 an HTTP library implementation in
ii libusb-0.1-4 2:0.1.12-11 userspace USB programming library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxcb-render-util0 0.2.1+git1-1 utility libraries for X C Binding
ii libxcb-render0 1.1-1.1 X C Binding, render extension
ii libxcb1 1.1-1.1 X C Binding
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio
ii libxi6 2:1.1.3-1 X11 Input extension library
ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library
ii libxml2 2.6.32.dfsg-2 GNOME XML library
ii libxrandr2 2:1.2.2-2 X11 RandR extension library
ii libxrender1 1:0.9.4-1 X Rendering Extension client libra
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages evolution recommends:
ii bogofilter 1.1.6-2 a fast Bayesian spam filter (dummy
ii evolution-plugins 2.22.1-1 standard plugins for Evolution
pn evolution-webcal <none> (no description available)
ii gnome-desktop-data 2.22.2-1 Common files for GNOME 2 desktop a
pn gnome-pilot-conduits <none> (no description available)
ii spamassassin 3.2.4-2 Perl-based spam filter using text
ii yelp 2.22.1-1 Help browser for GNOME 2
-- no debconf information
More information about the Pkg-evolution-maintainers
mailing list