The message in the "URL" field of this bug describes a way to DoS the evolution
we currently ship in FC5test3. This issue does not affect FC4 (I did check).
According to SecurityFocus, it should only affect evolution 2.3 and above (I've
done zero verification of this though).
Created attachment 125028 [details]
mbox file which triggers this flaw
Ray tells me this is a cairo bug:
I talked to Carl and he said he thinks it will be an easy fix. I have a vague
idea what to do, but I'll defer to him.
Created attachment 125562 [details]
Preliminary patch, useful to confirm the diagnosis.
Here's the simplest patch I could think of to cairo that should actually solve
It's not yet a fully adequate solution, for two reasons, as noted in the
comments of the patch (and copied below).
But if someone were able to verify that the evolution bug goes away after this
patch is applied to cairo, then that would be a useful thing to know.
I should have a more complete patch ready soon.
/* XXX: This 20000 number was arbitrarily picked from the ballpark
* of values that empirically appear to do the job. I'm working on
* coming up with the real equation for deciding this cutoff. */
/* XXX: Returning UNSUPPORTED in this case is not the kindest
* thing to do. The results will still be correct, (the
* UNSUPPORTED return will cause fallbacks to kick in), but there
* will be a rather abrupt performance cliff for any application
* that crosses this threshold. Better would be to still render
* all the glyphs via XRender but just batch it up into
* small-enough pieces. */
Created attachment 125615 [details]
Make _cairo_xlib_surface_show_glyphs break things up into chunks.
Here's a better patch.
It resolves both problems of the previous patch, and therefore also avoids the
problem with the previous patch that Ray found which is that the fallbacks
could trigger an attempt to create a too-huge Pixmap and crash again.
Please let me know if this patch to cairo solves the problem with evolution.
It looks like the fixed packages are queued up for tomorrow's rawhide, so closing...
*** Bug 181986 has been marked as a duplicate of this bug. ***