Re: Evolution Cores (needs more work)

[Kev <klmitch () MIT EDU>]

> I was doing some testing of env vars (HOME in this case) and managed to
> get evolution to core..   I set $HOME to 10235 A's as shown below, then
> tried to execute evolution.  When I did that the following happened:
>
>
> sh-2.04$ export HOME=3D`perl -e'print "A" x 10235'`
> sh-2.04$ evolution
> Gnome-ERROR **: Could not create per-user Gnome directory
> <AAAAAA....<snip>
> aborting...
> Aborted (core dumped)

This, combined with the stack trace you show below, indicates that it is
very unlikely that this bug can be exploited.  If I understand what I'm
seeing correctly, Gnome is trusting the HOME environment variable--not a
security problem in and of itself, really--and trying to create a
directory it can use for per-user information.  It doesn't seem to be
overflowing the buffer--perhaps it's truncating the file name--but when
the directory creation fails, the Gnome library itself crunches out by
calling abort().  Although this is bad manners in library code, it doesn't
really represent a vulnerablity as far as I can see.
-- 
Kevin L. Mitchell <klmitch () mit edu>