The sieve plugin for Thundirbird likes to rapidly compile work in progress sieve scripts to continually give feedback on any errors in the script. This can trigger segmentation faults in lib-sieve with certain pathologically incomplete sieve scripts. One example: #0 tag_comparator_validate (valdtr=0x7f291aa713a0, arg=0x7fff5c3cfa58, cmd=0x7f291aa69360) at sieve-comparators.c:143 143 if ( (*arg)->type != SAAT_STRING ) { Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-12.el7.x86_64 glibc-2.17-55.el7_0.3.x86_64 sssd-client-1.11.2-68.el7_0.6.x86_64 zlib-1.2.7-13.el7.x86_64 (gdb) list 138 *arg = sieve_ast_argument_next(*arg); 139 140 /* Check syntax: 141 * ":comparator" 142 */ 143 if ( (*arg)->type != SAAT_STRING ) { 144 sieve_argument_validate_error(valdtr, *arg, 145 ":comparator tag requires one string argument, but %s was found", 146 sieve_ast_argument_name(*arg) ); 147 return FALSE; (gdb) print arg $1 = (struct sieve_ast_argument **) 0x7fff5c3cfa58 (gdb) print *arg $2 = (struct sieve_ast_argument *) 0x0 So sieve_ast_argument_next() is returning NULL and we're trying to dereference it without checking. Here's a completely naive attempt at a patch: --- dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c.null 2014-01-01 15:46:39.000000000 -0700 +++ dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c 2014-12-29 14:01:00.233436697 -0700 @@ -140,6 +140,11 @@ static bool tag_comparator_validate /* Check syntax: * ":comparator" */ + if ( *arg == NULL ) { + sieve_argument_validate_error(valdtr, *arg, + ":comparator tag requires one string argument, but none was found"); + return FALSE; + } if ( (*arg)->type != SAAT_STRING ) { sieve_argument_validate_error(valdtr, *arg, ":comparator tag requires one string argument, but %s was found", -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com