Package: kmail Version: 4:3.5.5.dfsg.1-1 Severity: serious Tags: security patch Justification: makes program unusable because of input from internet
When recieving a email with special formatted email headers, kmail locks up in 15-30 minutes without responding. Killing is possible, but kmail has a big chance of start parsing that email on next start of kmail. It is in upstream bts at http://bugs.kde.org/show_bug.cgi?id=137033 /Sune -- System Information: Debian Release: unstable/experimental APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18-1-vserver-k7 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages kmail depends on: ii kdebase-kio-plugins 4:3.5.5a.dfsg.1-1 core I/O slaves for KDE ii kdelibs4c2a 4:3.5.5a.dfsg.1-3 core libraries and binaries for al ii kdepim-kio-plugins 4:3.5.5.dfsg.1-1 KDE pim I/O Slaves ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libaudio2 1.8-2 The Network Audio System (NAS). (s ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libfontconfig1 2.4.1-2 generic font configuration library ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib ii libgcc1 1:4.1.1-19 GCC support library ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libidn11 0.6.5-1 GNU libidn library, implementation ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libkcal2b 4:3.5.5.dfsg.1-1 KDE calendaring library ii libkdepim1a 4:3.5.5.dfsg.1-1 KDE PIM library ii libkleopatra1 4:3.5.5.dfsg.1-1 KDE GnuPG interface libraries ii libkmime2 4:3.5.5.dfsg.1-1 KDE MIME interface library ii libkpimidentities1 4:3.5.5.dfsg.1-1 KDE PIM user identity information ii libksieve0 4:3.5.5.dfsg.1-1 KDE mail/news message filtering li ii libmimelib1c2a 4:3.5.5.dfsg.1-1 KDE mime library ii libpng12-0 1.2.8rel-7 PNG library - runtime ii libqt3-mt 3:3.3.7-1 Qt GUI Library (Threaded runtime v ii libsm6 1:1.0.1-3 X11 Session Management library ii libstdc++6 4.1.1-19 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-2 X11 client-side library ii libxcursor1 1.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxi6 1:1.0.1-3 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii perl 5.8.8-6.1 Larry Wall's Practical Extraction ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages kmail recommends: ii procmail 3.22-16 Versatile e-mail processor -- no debconf information
Index: libemailfunctions/email.cpp =================================================================== --- libemailfunctions/email.cpp (Revision 599840) +++ libemailfunctions/email.cpp (Arbeitskopie) @@ -111,7 +111,14 @@ displayName = ""; addrSpec = ""; comment = ""; - + + // these strings are later copied to displayName resp. addrSpec resp. comment + // we don't operate directly on those variables, since as ByteArray deriverates + // they have a miserable performance on operator+ + QString dName; + QString aSpec; + QString cmmt; + if ( address.isEmpty() ) return KPIM::AddressEmpty; @@ -129,26 +136,26 @@ case TopLevel : { switch ( *p ) { case '"' : inQuotedString = !inQuotedString; - displayName += *p; + dName += *p; break; case '(' : if ( !inQuotedString ) { context = InComment; commentLevel = 1; } else - displayName += *p; + dName += *p; break; case '<' : if ( !inQuotedString ) { context = InAngleAddress; } else - displayName += *p; + dName += *p; break; case '\\' : // quoted character - displayName += *p; + dName += *p; ++p; // skip the '\' if ( *p ) - displayName += *p; + dName += *p; else return KPIM::UnexpectedEnd; break; @@ -159,57 +166,57 @@ return KPIM::UnexpectedComma; } else - displayName += *p; + dName += *p; break; - default : displayName += *p; + default : dName += *p; } break; } case InComment : { switch ( *p ) { case '(' : ++commentLevel; - comment += *p; + cmmt += *p; break; case ')' : --commentLevel; if ( commentLevel == 0 ) { context = TopLevel; - comment += ' '; // separate the text of several comments + cmmt += ' '; // separate the text of several comments } else - comment += *p; + cmmt += *p; break; case '\\' : // quoted character - comment += *p; + cmmt += *p; ++p; // skip the '\' if ( *p ) - comment += *p; + cmmt += *p; else return KPIM::UnexpectedEnd; break; - default : comment += *p; + default : cmmt += *p; } break; } case InAngleAddress : { switch ( *p ) { case '"' : inQuotedString = !inQuotedString; - addrSpec += *p; + aSpec += *p; break; case '>' : if ( !inQuotedString ) { context = TopLevel; } else - addrSpec += *p; + aSpec += *p; break; case '\\' : // quoted character - addrSpec += *p; + aSpec += *p; ++p; // skip the '\' if ( *p ) - addrSpec += *p; + aSpec += *p; else return KPIM::UnexpectedEnd; break; - default : addrSpec += *p; + default : aSpec += *p; } break; } @@ -223,9 +230,10 @@ if ( context == InAngleAddress ) return KPIM::UnclosedAngleAddr; - displayName = displayName.stripWhiteSpace(); - comment = comment.stripWhiteSpace(); - addrSpec = addrSpec.stripWhiteSpace(); + + displayName = dName.stripWhiteSpace().local8Bit(); + comment = cmmt.stripWhiteSpace().local8Bit(); + addrSpec = aSpec.stripWhiteSpace().local8Bit(); if ( addrSpec.isEmpty() ) { if ( displayName.isEmpty() )