Bug 1720008 (CVE-2019-11705)
Summary: | CVE-2019-11705 libical: Stack buffer overflow in icalrecur_add_bydayrules in icalrecur.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | cschalle, debarshir, gecko-bugs-nobody, gecko-bugs-nobody, jhorak, john.j5live, kengert, mcrha, mrehak, pjasicek, rdieter, rhughes, rstrode, sandmann, security-response-team, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Thunderbird 60.7.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-27 03:35:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1720053, 1720054, 1720055, 1720056, 1720057, 1720425 | ||
Bug Blocks: | 1720012 |
Description
Pedro Sampaio
2019-06-12 22:18:49 UTC
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug. External References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/ Mitigation: Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability. Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1720425] This function has been heavily re-worked in upstream libical. Of particular relevance to this vulnerability, commit 5b99f67f6 (pre v2.0.0, 2015-09-04) added a negative-weekno test, among other things. It seems safe to say that this version and beyond are safe from this attack, based on the reproducer provided. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626 |