Bug 1720006 (CVE-2019-11704)

Summary: CVE-2019-11704 libical: Heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cschalle, debarshir, gecko-bugs-nobody, gecko-bugs-nobody, jhorak, john.j5live, kengert, mcrha, mrehak, pjasicek, rdieter, rhughes, rstrode, sandmann, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Thunderbird 60.7.1, libical 1.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-27 03:34:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1720053, 1720054, 1720055, 1720056, 1720057, 1720423    
Bug Blocks: 1720012    

Description Pedro Sampaio 2019-06-12 22:11:40 UTC 
A flaw was found in Mozzila Thunderbird. A heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c might lead to out of bounds read, write, and process crash.

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Comment 7 Milan Crha 2019-06-13 08:38:45 UTC 
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug.
Comment 9 Doran Moppert 2019-06-14 00:46:58 UTC 
Mitigation:

Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability.
Comment 10 Doran Moppert 2019-06-14 00:52:08 UTC 
Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1720423]
Comment 11 Doran Moppert 2019-06-14 02:02:21 UTC 
In reply to comment #7:
> Is this for Thunderbird only, or the libical package is also affected?

This appears to be the original libical commit fixing the issue:

* a4230eb8 - Fix a possible overrun in icalmemory_strdup_and_dequote if the last character is a backslash. Thanks for the patch Kent (2012-03-14 09:06:23 +1030) <Allen Winter>

From git tags, this was included in the v1.0.0 release but not in v0.48.
Comment 12 Doran Moppert 2019-06-14 02:02:26 UTC 
External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird/
Comment 13 Milan Crha 2019-06-14 09:16:46 UTC 
(In reply to Doran Moppert from comment #11)
> From git tags, this was included in the v1.0.0 release but not in v0.48.

I see. In that case libical in RHEL 6 is only affected by this one (there's 0.47 version, if I read it correctly). The RHEL 7 and 8 are at libical 3.0.x.
Comment 14 Marian Rehak 2019-06-14 11:51:51 UTC 
References:

https://www.openwall.com/lists/oss-security/2019/06/13/1
Comment 15 errata-xmlrpc 2019-06-27 09:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623
Comment 16 errata-xmlrpc 2019-06-27 10:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624
Comment 17 errata-xmlrpc 2019-06-27 10:14:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626