Bug 1720006 (CVE-2019-11704) - CVE-2019-11704 libical: Heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c
Summary: CVE-2019-11704 libical: Heap buffer overflow in icalmemory_strdup_and_dequote...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1720053 1720054 1720055 1720056 1720057 1720423
Blocks: 1720012
TreeView+ depends on / blocked
 
Reported: 2019-06-12 22:11 UTC by Pedro Sampaio
Modified: 2021-02-26 07:05 UTC (History)
16 users (show)

Fixed In Version: Thunderbird 60.7.1, libical 1.0.0
Clone Of:
Environment:
Last Closed: 2019-06-27 03:34:49 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1623 0 None None None 2019-06-27 09:18:41 UTC
Red Hat Product Errata RHSA-2019:1624 0 None None None 2019-06-27 10:12:28 UTC
Red Hat Product Errata RHSA-2019:1626 0 None None None 2019-06-27 10:15:00 UTC

Description Pedro Sampaio 2019-06-12 22:11:40 UTC 
A flaw was found in Mozzila Thunderbird. A heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c might lead to out of bounds read, write, and process crash.

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Comment 7 Milan Crha 2019-06-13 08:38:45 UTC 
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug.
Comment 9 Doran Moppert 2019-06-14 00:46:58 UTC 
Mitigation:

Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability.
Comment 10 Doran Moppert 2019-06-14 00:52:08 UTC 
Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1720423]
Comment 11 Doran Moppert 2019-06-14 02:02:21 UTC 
In reply to comment #7:
> Is this for Thunderbird only, or the libical package is also affected?

This appears to be the original libical commit fixing the issue:

* a4230eb8 - Fix a possible overrun in icalmemory_strdup_and_dequote if the last character is a backslash. Thanks for the patch Kent (2012-03-14 09:06:23 +1030) <Allen Winter>

From git tags, this was included in the v1.0.0 release but not in v0.48.
Comment 12 Doran Moppert 2019-06-14 02:02:26 UTC 
External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird/
Comment 13 Milan Crha 2019-06-14 09:16:46 UTC 
(In reply to Doran Moppert from comment #11)
> From git tags, this was included in the v1.0.0 release but not in v0.48.

I see. In that case libical in RHEL 6 is only affected by this one (there's 0.47 version, if I read it correctly). The RHEL 7 and 8 are at libical 3.0.x.
Comment 14 Marian Rehak 2019-06-14 11:51:51 UTC 
References:

https://www.openwall.com/lists/oss-security/2019/06/13/1
Comment 15 errata-xmlrpc 2019-06-27 09:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623
Comment 16 errata-xmlrpc 2019-06-27 10:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624
Comment 17 errata-xmlrpc 2019-06-27 10:14:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626
Note You need to log in before you can comment on or make changes to this bug.