Bug 664412 - [abrt] evolution-2.32.1-1.fc14: icaltzutil_fetch_timezone: Process /usr/bin/evolution was killed by signal 11 (SIGSEGV)
Summary: [abrt] evolution-2.32.1-1.fc14: icaltzutil_fetch_timezone: Process /usr/bin/e...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libical
Version: 14
Hardware: x86_64
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:cdca75ef4578108eefd89b78139...
: 662070 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-20 11:06 UTC by Yann Droneaud
Modified: 2012-01-01 21:24 UTC (History)
5 users (show)

Fixed In Version: libical-0.48-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-01 19:29:07 UTC


Attachments (Terms of Use)
File: backtrace (66.37 KB, text/plain)
2010-12-20 11:06 UTC, Yann Droneaud
no flags Details
valgrind log for evolution (2.76 KB, text/plain)
2010-12-20 15:04 UTC, Yann Droneaud
no flags Details

Description Yann Droneaud 2010-12-20 11:06:08 UTC
abrt version: 1.1.14
architecture: x86_64
Attached file: backtrace
cmdline: evolution
component: evolution
crash_function: icaltzutil_fetch_timezone
executable: /usr/bin/evolution
kernel: 2.6.35.9-64.fc14.x86_64
package: evolution-2.32.1-1.fc14
rating: 4
reason: Process /usr/bin/evolution was killed by signal 11 (SIGSEGV)
release: Fedora release 14 (Laughlin)
time: 1292842793
uid: 500

How to reproduce
-----
1. Run evolution with G_DEBUG=resident-modules,gc-friendly
G_SLICE=always-malloc,debug-blocks under ElectricFence with EF_PROTECT_BELOW=1
EF_ALLOW_MALLOC_0=1

Comment 1 Yann Droneaud 2010-12-20 11:06:10 UTC
Created attachment 469724 [details]
File: backtrace

Comment 2 Yann Droneaud 2010-12-20 11:28:56 UTC
*** Bug 662070 has been marked as a duplicate of this bug. ***

Comment 3 Yann Droneaud 2010-12-20 11:33:28 UTC
Package: evolution-2.32.1-1.fc14
Architecture: x86_64
OS Release: Fedora release 14 (Laughlin)


How to reproduce
-----
1. Run evolution with G_DEBUG=resident-modules,gc-friendly
G_SLICE=always-malloc,debug-blocks under ElectricFence with EF_PROTECT_BELOW=1
EF_ALLOW_MALLOC_0=1 EF_ALIGNMENT=16

Comment 4 Yann Droneaud 2010-12-20 15:04:13 UTC
Created attachment 469779 [details]
valgrind log for evolution

Here's some valgrind log about the same problem.

And here the interesting lines of code in icaltz-util.c:

Note: num_trans is equal to 0

339         transitions = calloc (num_trans, sizeof (time_t));
340         r_trans = calloc (num_trans, 4);
341         EFREAD(r_trans, 4, num_trans, f);
411                 stdidx = 0;
426         if (stdidx != -1) {
430                         zidx = 0;
439                         zp_idx = zidx;
441                 trans = transitions [stdidx] + types [zp_idx].gmtoff;

A time_t is read at transitions[0], which is not allocated.

Note: there's also no check that zp_idx is not actually overflowing types[].

This piece of code must be improved to take extra care when parsing a timezone file.

Comment 5 Milan Crha 2010-12-21 09:57:58 UTC
Thanks for a bug report. I'm moving this to libical. If you would like a test application which will call only this, then I can write it for you.

Comment 6 Robert Scheck 2010-12-21 11:04:53 UTC
Well, what does "rpm -q libical" say? There is a newer libical version in
updates-testing.

Comment 7 Yann Droneaud 2010-12-21 13:10:09 UTC
(In reply to comment #6)
> Well, what does "rpm -q libical" say? There is a newer libical version in
> updates-testing.

$ rpm -q libical
libical-0.46-2.fc14.x86_64

I've installed it following comment 5 on bug 637150.

Comment 8 Robert Scheck 2010-12-23 00:48:28 UTC
To be honest, I'm not a programmer. All I can do for you is just forwarding
the information you're providing me into an upstream bug report. Maybe Milan
or the Red Hat libical maintainer is more experienced with that?

Comment 9 Robert Scheck 2011-10-23 23:35:28 UTC
Can this issue completely be solved with the patch from bug #694118? Milan?

Comment 10 Milan Crha 2011-10-24 09:08:38 UTC
The 0.47 of libical has a fix included already, if I read this [1] thread correctly.

[1] http://sourceforge.net/mailarchive/forum.php?thread_name=201103081755.02449.winter%40kde.org&forum_name=freeassociation-devel

Comment 11 Robert Scheck 2011-10-24 09:29:54 UTC
Milan, could you verify it in the 0.47 code? Then I'll update the branches
accordingly. Thanks :)

Comment 12 Milan Crha 2011-10-24 10:02:53 UTC
I tried with 0.47 libical, running evolution under valgrind, and I do not see a warnings from this function. If Yann could test under ElectricFence, then even better. Here's a scratch build for libical 0.47 package for Fedora 16:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3455112

Comment 13 Fedora Update System 2011-12-17 15:09:11 UTC
libical-0.48-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/libical-0.48-1.fc15

Comment 14 Fedora Update System 2011-12-17 15:09:13 UTC
libical-0.48-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/libical-0.48-1.el5

Comment 15 Fedora Update System 2011-12-17 15:09:13 UTC
libical-0.48-1.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/libical-0.48-1.el4

Comment 16 Fedora Update System 2011-12-17 15:09:14 UTC
libical-0.48-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libical-0.48-1.fc16

Comment 17 Fedora Update System 2011-12-17 19:26:21 UTC
Package libical-0.48-1.el4:
* should fix your issue,
* was pushed to the Fedora EPEL 4 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing libical-0.48-1.el4'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-5265/libical-0.48-1.el4
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2012-01-01 19:29:07 UTC
libical-0.48-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2012-01-01 19:29:39 UTC
libical-0.48-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2012-01-01 21:22:31 UTC
libical-0.48-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2012-01-01 21:24:27 UTC
libical-0.48-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.