Bug 1720006 (CVE-2019-11704) - CVE-2019-11704 libical: Heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c
Summary: CVE-2019-11704 libical: Heap buffer overflow in icalmemory_strdup_and_dequote...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1720056 1720423 1720053 1720054 1720055 1720057
Blocks: 1720012
TreeView+ depends on / blocked
 
Reported: 2019-06-12 22:11 UTC by Pedro Sampaio
Modified: 2019-09-29 15:15 UTC (History)
16 users (show)

Fixed In Version: Thunderbird 60.7.1, libical 1.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-27 03:34:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1623 None None None 2019-06-27 09:18:41 UTC
Red Hat Product Errata RHSA-2019:1624 None None None 2019-06-27 10:12:28 UTC
Red Hat Product Errata RHSA-2019:1626 None None None 2019-06-27 10:15:00 UTC

Description Pedro Sampaio 2019-06-12 22:11:40 UTC
A flaw was found in Mozzila Thunderbird. A heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c might lead to out of bounds read, write, and process crash.

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1553814

Comment 7 Milan Crha 2019-06-13 08:38:45 UTC
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug.

Comment 9 Doran Moppert 2019-06-14 00:46:58 UTC
Mitigation:

Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability.

Comment 10 Doran Moppert 2019-06-14 00:52:08 UTC
Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1720423]

Comment 11 Doran Moppert 2019-06-14 02:02:21 UTC
In reply to comment #7:
> Is this for Thunderbird only, or the libical package is also affected?

This appears to be the original libical commit fixing the issue:

* a4230eb8 - Fix a possible overrun in icalmemory_strdup_and_dequote if the last character is a backslash. Thanks for the patch Kent (2012-03-14 09:06:23 +1030) <Allen Winter>

From git tags, this was included in the v1.0.0 release but not in v0.48.

Comment 13 Milan Crha 2019-06-14 09:16:46 UTC
(In reply to Doran Moppert from comment #11)
> From git tags, this was included in the v1.0.0 release but not in v0.48.

I see. In that case libical in RHEL 6 is only affected by this one (there's 0.47 version, if I read it correctly). The RHEL 7 and 8 are at libical 3.0.x.

Comment 14 Marian Rehak 2019-06-14 11:51:51 UTC
References:

https://www.openwall.com/lists/oss-security/2019/06/13/1

Comment 15 errata-xmlrpc 2019-06-27 09:18:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623

Comment 16 errata-xmlrpc 2019-06-27 10:12:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624

Comment 17 errata-xmlrpc 2019-06-27 10:14:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626


Note You need to log in before you can comment on or make changes to this bug.