Fuzzing KDE based apps (narrowing down bugs)

[nnp <version5 () gmail com>]

Hey I was wondering if anyone has any experience auditing KDE based
applications. Recently I, found this while fuzzing for a different
type of vuln.

I am using KDE 3.5.2 and kmail 1.9.1.

This bug requires HTML to be enabled (Settings -> Configure Kmail ->
Security -> and tick Prefer HTML to Plain Text.).

(email that causes crash) http://silenthack.co.uk/nnp/exploits/kmail/crashMail

When the mail is viewed it should crash immediately and give you a
stack trace similar to

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[KCrash handler]
#6  0xffffe410 in __kernel_vsyscall ()
#7  0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#8  0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#9  0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
#10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
#11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
#12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
from /usr/lib/libkhtml.so.4
#13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
from /usr/lib/libkhtml.so.4
#14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
#17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
#18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
#21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#27 0x0804a04b in ?? ()
#28 0xbfe80938 in ?? ()
#29 0xbfe80b24 in ?? ()
#30 0x00000000 in ?? ()


The problem is, KDE has this ever so helpful bug reporting system
which catches the crash and gives the above output and leaves no core
dump or anything with which to work on.

Sure, I can use the above email to crash the program but without
figuring out the exact part of it that causes the crash and why, it is
both inelegant and not particularly useful. At the moment the only way
I can think of is to get the kmail source code (libkhtml source etc)
and look at the above mentioned methods or start randomly cutting out
pieces of the fuzz email until I get somewhere (which doesnt sound
like much fun ;) )

Does anyone know of a better method to narrow down a bug after fuzzing in KDE?

Thanks,
nnp

--
http://silenthack.co.uk
http://smashthestack.org