Source: libical Version: 1.0-1.3 Severity: important Tags: upstream security Forwarded: https://github.com/libical/libical/issues/235 Control: found -1 2.0.0-0.5
Hi, the following vulnerability was published for libical. CVE-2016-5824[0]: | libical 1.0 allows remote attackers to cause a denial of service | (use-after-free) via a crafted ics file. This one was initially reported at [1], then to [2] and got assigned the CVE in [3]. There is some unclearness unfortunately around the libical CVEs due to reports. To verify this one in the [2] report there is a reproducer which can be use to test/verify a potential fix. To reproduce, get reproducer from the #1275400 bugzilla.mozilla.org report: $ wget 'https://bugzilla.mozilla.org/attachment.cgi?id=8757553' -O 1275400.ics $ valgrind ./icaltestparser ./1275400.ics >/dev/null ==11789== Memcheck, a memory error detector ==11789== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==11789== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==11789== Command: ./icaltestparser ./1275400.ics ==11789== ==11789== Invalid read of size 1 ==11789== at 0x50E1DCC: vfprintf (vfprintf.c:1642) ==11789== by 0x518D394: __vsnprintf_chk (vsnprintf_chk.c:63) ==11789== by 0x518D2F7: __snprintf_chk (snprintf_chk.c:34) ==11789== by 0x4E70E2A: icalreqstattype_as_string_r (in /usr/lib/libical.so.1.0.0) ==11789== by 0x4E71C39: icalvalue_as_ical_string_r (in /usr/lib/libical.so.1.0.0) ==11789== by 0x4E6694A: icalproperty_as_ical_string_r (in /usr/lib/libical.so.1.0.0) ==11789== by 0x4E60127: icalcomponent_as_ical_string_r (in /usr/lib/libical.so.1.0.0) ==11789== by 0x4E60235: icalcomponent_as_ical_string (in /usr/lib/libical.so.1.0.0) ==11789== by 0x400A71: main (in /home/dummy/icaltestparser) ==11789== Address 0x5660653 is 3 bytes inside a block of size 4 free'd ==11789== at 0x4C29E90: free (vg_replace_malloc.c:473) ==11789== by 0x4E65401: icalparser_add_line (in /usr/lib/libical.so.1.0.0) ==11789== by 0x400A5A: main (in /home/dummy/icaltestparser) ==11789== ==11789== ==11789== HEAP SUMMARY: ==11789== in use at exit: 29,301 bytes in 82 blocks ==11789== total heap usage: 616 allocs, 534 frees, 153,866 bytes allocated ==11789== ==11789== LEAK SUMMARY: ==11789== definitely lost: 4,538 bytes in 57 blocks ==11789== indirectly lost: 1,105 bytes in 21 blocks ==11789== possibly lost: 0 bytes in 0 blocks ==11789== still reachable: 23,658 bytes in 4 blocks ==11789== suppressed: 0 bytes in 0 blocks ==11789== Rerun with --leak-check=full to see details of leaked memory ==11789== ==11789== For counts of detected and suppressed errors, rerun with: -v ==11789== ERROR SUMMARY: 32 errors from 1 contexts (suppressed: 0 from 0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824 [1] https://github.com/libical/libical/issues/235 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 [3] https://marc.info/?l=oss-security&m=146685931517961&w=2 Regards, Salvatore