[Users] [Bug 3610] New: Heap use after free in privacy_mimeinfo_check_signature()

Thu Feb 4 21:44:00 CET 2016

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3610

            Bug ID: 3610
           Summary: Heap use after free in
                    privacy_mimeinfo_check_signature()
    Classification: Unclassified
           Product: Claws Mail
           Version: other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: users at lists.claws-mail.org
          Reporter: hanno at hboeck.de

Created attachment 1628
  -->
http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1628&action=edit
asan error / stack trace for use after free in privacy_mimeinfo_check_signature

I discovered a use after free error with address sanitizer. It seems similar to
bug #3598.

A reliable way to reproduce it:
* Have the pgp plugins enabled.
* Open a pgp-signed mail in one folder.
* Go to another folder, don't open a mail.
* Press "c" (which is "check signature, but should do nothing as no mail is
open).

If claws-mail was compiled with address sanitizer enabled it will terminate and
show a use after free error. I have attached the asan log.

I think there is a problem with the variable mimeinfo that is similar to the
problem with msginfo in bug #3598.

Right before the uaf I see there is this code:
    cm_return_val_if_fail(mimeinfo != NULL, -1);

That is the code assumes that if mimeinfo is not null it contains valid data.
For this to be true at every place it gets freed it would have to be set to
zero, which is not happening.

-- 
You are receiving this mail because:
You are the assignee for the bug.