A flaw was found in Mozilla Thunderbird. A stack-based buffer overflow in in icalrecur_add_bydayrules in icalrecur.c leads to server crash and potentially worse consequences. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug.
External References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
Mitigation: Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability.
Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1720425]
References: https://www.openwall.com/lists/oss-security/2019/06/13/3
This function has been heavily re-worked in upstream libical. Of particular relevance to this vulnerability, commit 5b99f67f6 (pre v2.0.0, 2015-09-04) added a negative-weekno test, among other things. It seems safe to say that this version and beyond are safe from this attack, based on the reproducer provided.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626