A flaw was found in Mozilla Thunderbird. A type confusion in icaltimezone_get_vtimezone_properties in icalproperty.c might lead to process crash and potentially others consequences. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Is this for Thunderbird only, or the libical package is also affected? I would verify that myself, but I do not have access to any related bug report mentioned here, neither to the upstream Mozilla bug.
External References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
Mitigation: Thunderbird can be configured to use icaljs instead of libical by setting `calendar.icaljs = true` in preferences, mitigating this vulnerability.
Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1720424]
References: https://www.openwall.com/lists/oss-security/2019/06/13/4
The type confusion described in this bug doesn't seem to be possible upstream for a very long time: at least since 0.43, properties have had a type tag which is checked before returning a value that could be misinterpreted. That type tag is not present in the Thunderbird downstream fork, so confusion is possible.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11706