Over on https://bugs.debian.org/869736, Jakub Wilk reports:
--- Begin Message ---
- From: Jakub Wilk <jwilk jwilk net>
- To: Debian Bug Tracking System <submit bugs debian org>
- Subject: Bug#869736: libgmime-3.0-0: infinite loop when parsing malformed address
- Date: Tue, 25 Jul 2017 23:36:32 +0200
Package: libgmime-3.0-0 Version: 3.0.1-2 Tags: security GMime falls into infinite loop when parsing some malformed addresses.To reproduce, rebuild the package from source and run test-parser against the attached mailbox:$ gzip -d infloop.mbox.gz $ tests/test-parser infloop.mbox Testing MIME parser... [... eats 100% CPU forever ...] Backtrace: #0 0xf7f64887 in g_mime_skip_cfws (in=0xffffd3f8) at gmime-parse-utils.c:184 #1 0xf7f64e73 in decode_subliteral (domain=0x56565690, in=0xffffd3f4) at gmime-parse-utils.c:357 #2 0xf7f64e73 in decode_domain_literal (domain=0x56565690, in=<optimized out>) at gmime-parse-utils.c:375 #3 0xf7f64e73 in g_mime_decode_domain (in=0xffffd474, domain=0x56565690) at gmime-parse-utils.c:415 #4 0xf7f7be4d in decode_route (in=0xffffd46c) at internet-address.c:1412 #5 0xf7f7be4d in mailbox_parse (address=<synthetic pointer>, name=0x56567978 "", in=0xffffd468, options=0x5655f5c0) at internet-address.c:1708 #6 0xf7f7be4d in address_parse (flags=ALLOW_ANY, address=<synthetic pointer>, charset=0xffffd460, in=0xffffd464, options=0x5655f5c0) at internet-address.c:2043 #7 0xf7f7be4d in address_list_parse (list=list@entry=0x5655f820 [InternetAddressList], options=options@entry=0x5655f5c0, in=in@entry=0xffffd4b8, is_group=0) at internet-address.c:2078 #8 0xf7f7cfda in address_list_parse (is_group=0, in=<optimized out>, options=0x5655f5c0, list=0x5655f820 [InternetAddressList]) at internet-address.c:2064 #9 0xf7f7cfda in internet_address_list_parse (options=0x5655f5c0, str=0x56567890 "<@[\t(") at internet-address.c:2129 #10 0xf7f5bd5c in message_update_addresses (message=message@entry=0x5655a358 [GMimeMessage], options=0x5655f5c0, options@entry=0xf7f5c520 <from_changed>, type=GMIME_ADDRESS_TYPE_FROM) at gmime-message.c:288 #11 0xf7f5c034 in process_header (object=object@entry=0x5655a358 [GMimeMessage], header=0x5655a358 [GMimeMessage], header@entry=0x56567a00 [GMimeHeader]) at gmime-message.c:330 #12 0xf7f5c10f in message_header_added (object=0x5655a358 [GMimeMessage], header=0x56567a00 [GMimeHeader]) at gmime-message.c:362 #13 0xf7f50ac3 in g_mime_event_emit (event=0x5655e7d8, args=0xffffd574) at gmime-events.c:221 #14 0xf7f5a5b2 in _g_mime_header_list_append (headers=0x56566c40 [GMimeHeaderList], name=0x56566b60 "From", raw_name=0x565655f0 "From", raw_value=0x56566b50 "<@[\t(", offset=6) at gmime-header.c:1196 #15 0xf7f619e0 in _g_mime_object_append_header (object=<optimized out>, header=0x56566b60 "From", raw_name=0x565655f0 "From", raw_value=0x56566b50 "<@[\t(", offset=6) at gmime-object.c:848 #16 0xf7f684da in parser_construct_message (options=0x0, parser=0x56565600 [GMimeParser]) at gmime-parser.c:1999 #17 0xf7f684da in g_mime_parser_construct_message (parser=0x56565600 [GMimeParser], options=0x0) at gmime-parser.c:2044 #18 0x56555f5d in test_parser (stream=<optimized out>) at test-parser.c:170 #19 0x56555f5d in main (argc=2, argv=0xffffd704) at test-parser.c:268 Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Architecture: i386 Versions of packages libgmime-3.0-0 depends on: ii libassuan0 2.4.3-2 ii libc6 2.24-12 ii libglib2.0-0 2.52.3-1 ii libgpg-error0 1.27-3 ii libgpgme11 1.8.0-3+b3 ii zlib1g 1:1.2.8.dfsg-5 -- Jakub WilkAttachment: infloop.mbox.gz
Description: application/gzip
--- End Message ---