libical: CVE-2016-5824

Debian Bug report logs - #860451
libical: CVE-2016-5824

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libical: CVE-2016-5824

Date: Mon, 17 Apr 2017 08:31:19 +0200

Source: libical
Version: 1.0-1.3
Severity: important
Tags: upstream security
Forwarded: https://github.com/libical/libical/issues/235
Control: found -1 2.0.0-0.5

Hi,

the following vulnerability was published for libical.

CVE-2016-5824[0]:
| libical 1.0 allows remote attackers to cause a denial of service
| (use-after-free) via a crafted ics file.

This one was initially reported at [1], then to [2] and got assigned
the CVE in [3]. There is some unclearness unfortunately around the
libical CVEs due to reports. To verify this one in the [2] report
there is a reproducer which can be use to test/verify a potential fix.

To reproduce, get reproducer from the #1275400 bugzilla.mozilla.org
report:

$ wget 'https://bugzilla.mozilla.org/attachment.cgi?id=8757553' -O 1275400.ics
$ valgrind ./icaltestparser ./1275400.ics >/dev/null
==11789== Memcheck, a memory error detector
==11789== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11789== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==11789== Command: ./icaltestparser ./1275400.ics
==11789== 
==11789== Invalid read of size 1
==11789==    at 0x50E1DCC: vfprintf (vfprintf.c:1642)
==11789==    by 0x518D394: __vsnprintf_chk (vsnprintf_chk.c:63)
==11789==    by 0x518D2F7: __snprintf_chk (snprintf_chk.c:34)
==11789==    by 0x4E70E2A: icalreqstattype_as_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E71C39: icalvalue_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E6694A: icalproperty_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E60127: icalcomponent_as_ical_string_r (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x4E60235: icalcomponent_as_ical_string (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x400A71: main (in /home/dummy/icaltestparser)
==11789==  Address 0x5660653 is 3 bytes inside a block of size 4 free'd
==11789==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==11789==    by 0x4E65401: icalparser_add_line (in /usr/lib/libical.so.1.0.0)
==11789==    by 0x400A5A: main (in /home/dummy/icaltestparser)
==11789== 
==11789== 
==11789== HEAP SUMMARY:
==11789==     in use at exit: 29,301 bytes in 82 blocks
==11789==   total heap usage: 616 allocs, 534 frees, 153,866 bytes allocated
==11789== 
==11789== LEAK SUMMARY:
==11789==    definitely lost: 4,538 bytes in 57 blocks
==11789==    indirectly lost: 1,105 bytes in 21 blocks
==11789==      possibly lost: 0 bytes in 0 blocks
==11789==    still reachable: 23,658 bytes in 4 blocks
==11789==         suppressed: 0 bytes in 0 blocks
==11789== Rerun with --leak-check=full to see details of leaked memory
==11789== 
==11789== For counts of detected and suppressed errors, rerun with: -v
==11789== ERROR SUMMARY: 32 errors from 1 contexts (suppressed: 0 from 0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5824
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824
[1] https://github.com/libical/libical/issues/235
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1275400
[3] https://marc.info/?l=oss-security&m=146685931517961&w=2

Regards,
Salvatore

Message #12 received at 860451@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860451@bugs.debian.org

Subject: Re: Bug#860451: libical: CVE-2016-5824

Date: Mon, 17 Apr 2017 10:27:01 +0200

Hi

I forgot to mention: There is a icaltestparser.c in the sources under
which can be used to run the verifier.

On Mon, Apr 17, 2017 at 08:31:19AM +0200, Salvatore Bonaccorso wrote:
> This one was initially reported at [1], then to [2] and got assigned
> the CVE in [3]. There is some unclearness unfortunately around the
> libical CVEs due to reports. To verify this one in the [2] report
> there is a reproducer which can be use to test/verify a potential fix.

Rereading this sentence was slighty confusing I think. What I mean is
that there were several reporter reporting issues in libical at that
time, the respective CVE assignments arise though from 
https://marc.info/?l=oss-security&m=146685931517961&w=2

Regards,
Salvatore

Message #19 received at 860451-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 630690-done@bugs.debian.org,852034-done@bugs.debian.org,856653-done@bugs.debian.org,860451-done@bugs.debian.org,884128-done@bugs.debian.org,919571-done@bugs.debian.org,879395-done@bugs.debian.org,

Cc: libical@packages.debian.org

Subject: Bug#926589: Removed package(s) from unstable

Date: Sat, 13 Apr 2019 16:53:09 +0000

Version: 2.0.0-4+rm

Dear submitter,

as the package libical has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/926589

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.