Debian Bug report logs -
#860451
libical: CVE-2016-5824
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fathi Boudra <fabo@debian.org>
:
Bug#860451
; Package src:libical
.
(Mon, 17 Apr 2017 06:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fathi Boudra <fabo@debian.org>
.
(Mon, 17 Apr 2017 06:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libical
Version: 1.0-1.3
Severity: important
Tags: upstream security
Forwarded: https://github.com/libical/libical/issues/235
Control: found -1 2.0.0-0.5
Hi,
the following vulnerability was published for libical.
CVE-2016-5824[0]:
| libical 1.0 allows remote attackers to cause a denial of service
| (use-after-free) via a crafted ics file.
This one was initially reported at [1], then to [2] and got assigned
the CVE in [3]. There is some unclearness unfortunately around the
libical CVEs due to reports. To verify this one in the [2] report
there is a reproducer which can be use to test/verify a potential fix.
To reproduce, get reproducer from the #1275400 bugzilla.mozilla.org
report:
$ wget 'https://bugzilla.mozilla.org/attachment.cgi?id=8757553' -O 1275400.ics
$ valgrind ./icaltestparser ./1275400.ics >/dev/null
==11789== Memcheck, a memory error detector
==11789== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11789== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==11789== Command: ./icaltestparser ./1275400.ics
==11789==
==11789== Invalid read of size 1
==11789== at 0x50E1DCC: vfprintf (vfprintf.c:1642)
==11789== by 0x518D394: __vsnprintf_chk (vsnprintf_chk.c:63)
==11789== by 0x518D2F7: __snprintf_chk (snprintf_chk.c:34)
==11789== by 0x4E70E2A: icalreqstattype_as_string_r (in /usr/lib/libical.so.1.0.0)
==11789== by 0x4E71C39: icalvalue_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789== by 0x4E6694A: icalproperty_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789== by 0x4E60127: icalcomponent_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789== by 0x4E60235: icalcomponent_as_ical_string (in /usr/lib/libical.so.1.0.0)
==11789== by 0x400A71: main (in /home/dummy/icaltestparser)
==11789== Address 0x5660653 is 3 bytes inside a block of size 4 free'd
==11789== at 0x4C29E90: free (vg_replace_malloc.c:473)
==11789== by 0x4E65401: icalparser_add_line (in /usr/lib/libical.so.1.0.0)
==11789== by 0x400A5A: main (in /home/dummy/icaltestparser)
==11789==
==11789==
==11789== HEAP SUMMARY:
==11789== in use at exit: 29,301 bytes in 82 blocks
==11789== total heap usage: 616 allocs, 534 frees, 153,866 bytes allocated
==11789==
==11789== LEAK SUMMARY:
==11789== definitely lost: 4,538 bytes in 57 blocks
==11789== indirectly lost: 1,105 bytes in 21 blocks
==11789== possibly lost: 0 bytes in 0 blocks
==11789== still reachable: 23,658 bytes in 4 blocks
==11789== suppressed: 0 bytes in 0 blocks
==11789== Rerun with --leak-check=full to see details of leaked memory
==11789==
==11789== For counts of detected and suppressed errors, rerun with: -v
==11789== ERROR SUMMARY: 32 errors from 1 contexts (suppressed: 0 from 0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824
[1] https://github.com/libical/libical/issues/235
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1275400
[3] https://marc.info/?l=oss-security&m=146685931517961&w=2
Regards,
Salvatore
Marked as found in versions libical/2.0.0-0.5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 17 Apr 2017 06:33:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Fathi Boudra <fabo@debian.org>
:
Bug#860451
; Package src:libical
.
(Mon, 17 Apr 2017 08:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Fathi Boudra <fabo@debian.org>
.
(Mon, 17 Apr 2017 08:30:06 GMT) (full text, mbox, link).
Message #12 received at 860451@bugs.debian.org (full text, mbox, reply):
Hi
I forgot to mention: There is a icaltestparser.c in the sources under
which can be used to run the verifier.
On Mon, Apr 17, 2017 at 08:31:19AM +0200, Salvatore Bonaccorso wrote:
> This one was initially reported at [1], then to [2] and got assigned
> the CVE in [3]. There is some unclearness unfortunately around the
> libical CVEs due to reports. To verify this one in the [2] report
> there is a reproducer which can be use to test/verify a potential fix.
Rereading this sentence was slighty confusing I think. What I mean is
that there were several reporter reporting issues in libical at that
time, the respective CVE assignments arise though from
https://marc.info/?l=oss-security&m=146685931517961&w=2
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 20 Apr 2017 17:39:05 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Sat, 13 Apr 2019 16:54:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 13 Apr 2019 16:54:11 GMT) (full text, mbox, link).
Message #19 received at 860451-done@bugs.debian.org (full text, mbox, reply):
Version: 2.0.0-4+rm
Dear submitter,
as the package libical has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/926589
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 12 May 2019 07:27:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:18:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.