[Secure-testing-team] Bug#860451: libical: CVE-2016-5824

Salvatore Bonaccorso carnil at debian.org
Mon Apr 17 06:31:19 UTC 2017 

Source: libical
Version: 1.0-1.3
Severity: important
Tags: upstream security
Forwarded: https://github.com/libical/libical/issues/235
Control: found -1 2.0.0-0.5

Hi,

the following vulnerability was published for libical.

CVE-2016-5824[0]:
| libical 1.0 allows remote attackers to cause a denial of service
| (use-after-free) via a crafted ics file.

This one was initially reported at [1], then to [2] and got assigned
the CVE in [3]. There is some unclearness unfortunately around the
libical CVEs due to reports. To verify this one in the [2] report
there is a reproducer which can be use to test/verify a potential fix.

To reproduce, get reproducer from the #1275400 bugzilla.mozilla.org
report:

$ wget 'https://bugzilla.mozilla.org/attachment.cgi?id=8757553' -O 1275400.ics
$ valgrind ./icaltestparser ./1275400.ics >/dev/null
==11789== Memcheck, a memory error detector
==11789== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11789== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==11789== Command: ./icaltestparser ./1275400.ics
==11789== 
==11789== Invalid read of size 1
==11789==    at 0x50E1DCC: vfprintf (vfprintf.c:1642)
==11789==    by 0x518D394: __vsnprintf_chk (vsnprintf_chk.c:63)
==11789==    by 0x518D2F7: __snprintf_chk (snprintf_chk.c:34)
==11789==    by 0x4E70E2A: icalreqstattype_as_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E71C39: icalvalue_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E6694A: icalproperty_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E60127: icalcomponent_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E60235: icalcomponent_as_ical_string (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x400A71: main (in /home/dummy/icaltestparser)
==11789==  Address 0x5660653 is 3 bytes inside a block of size 4 free'd
==11789==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==11789==    by 0x4E65401: icalparser_add_line (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x400A5A: main (in /home/dummy/icaltestparser)
==11789== 
==11789== 
==11789== HEAP SUMMARY:
==11789==     in use at exit: 29,301 bytes in 82 blocks
==11789==   total heap usage: 616 allocs, 534 frees, 153,866 bytes allocated
==11789== 
==11789== LEAK SUMMARY:
==11789==    definitely lost: 4,538 bytes in 57 blocks
==11789==    indirectly lost: 1,105 bytes in 21 blocks
==11789==      possibly lost: 0 bytes in 0 blocks
==11789==    still reachable: 23,658 bytes in 4 blocks
==11789==         suppressed: 0 bytes in 0 blocks
==11789== Rerun with --leak-check=full to see details of leaked memory
==11789== 
==11789== For counts of detected and suppressed errors, rerun with: -v
==11789== ERROR SUMMARY: 32 errors from 1 contexts (suppressed: 0 from 0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5824
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824
[1] https://github.com/libical/libical/issues/235
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1275400
[3] https://marc.info/?l=oss-security&m=146685931517961&w=2

Regards,
Salvatore

More information about the Secure-testing-team mailing list