Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Jun 2019 22:31:56 +0200
From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de>
To: oss-security@...ts.openwall.com
Subject: X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer
 overflow in Thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsrwACgkQo5Klpg50
CxA1XQ//ZCNmc7/gBSo7qcSnraQe7ry0pjVjWSrRajBoOYbf4bhDC+tMW0XOTYnb
FKdND8qWMZKvTxeDGDIDJanREFotSfIX7UcKLZOzrSQO8hRCCizVJ1olF6vZBl7g
q4wFU5T9w4EyHP7ihBMCC4PimYlh9S+ZQAoSv7if9ObDpqs6SSNEDbandGklxMYW
g26N6AzTU0HSVX/fSVGYhhDFiP7dBCJE1ydkBJ7BITjhkU/NAfvL3IdASD5Tb6Sa
oPYHdnHZJcPHsNw2ftCfSCfbDjN5HOd6AFQGcx/w9YdIEQz4f/Zsdm/gtX/B5vpW
xGFt1gIfZqQuvQSj3iVcKDsTfE+4ikJFeBng80o6qviMye4txWHfFDRUIq8h7czW
wZ+JU/2BgU+mD8qRMttsfvSK6HgBQTArMN3Sl6i/8V1sQ09nQu+tUDfv6ZfgfHZX
sECDKnCPqIJIemG8q3hXNvaFdmAv2AFsS06RKFjy5Et7EsFv2ZAj7Zwh+NyINq6h
6/UdVhrU7+lIOKDmG8vVTYFEAYrpwYVMB3BDTwJ+M6aIMZT0s2sJrc7PnfKrEAPt
LGEu4B+sBqhR+FI21xO1O+DPi2NuotYi4xn9KOM894j9Oyahx6Cpr/fxt9ubkb4y
4VveOoPcAKpcSKyDx32mm463TuXjtJfpKRGiNAMMxztuOtMoiso=
=k4K9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.