Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3ba520ae-e49e-9754-13f3-5401cda63bcd@x41-dsec.de>
Date: Thu, 13 Jun 2019 22:37:36 +0200
From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de>
To: oss-security@...ts.openwall.com
Subject: X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in
 Thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-004

Type confusion in Thunderbird
=============================
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact
==================
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtA8ACgkQo5Klpg50
CxBOsRAAgrlacP0odW8SZzyesjFmr5qc/b/31jDQmItPlbwOIkyIQyWcxJkXqwRe
5nQlGY/hqYsJqK/V3FEfiC3AKNi/03beFnsVv31EVR2X766QMj/cg4nype8F7jOr
NkiGos46xn33F1LXkRT/7YkNul7IhH7woYC5XxrTPTeHDFfWfq7/PbsT5iVwD33+
56tkKYjT5NPrk3uJv1hc10e06KM5RftzdOS4ETVrJlz9cfmtvxfqzoI85eZ65/cP
HieZp3lq4+52hlmKBuTojWrodZ/YThQQFLI/mst4ddpkaGX2axr5WdJbQ+fH3hDy
wba85ejj0w6+/5f7kc04xcgO3cEsPciLALqlBYwSbOVA/M7K5h8TFgh+NGz0naGt
rooiyg5sT1lxcZzItUZks9bdxW35SEE8KE2nMvPXS9DujPo3jDEbWE1/SjP3HgBE
Ehnkur/cNamIOhw7m5iU0vfWjMiybrhgD1D/zQTn74gs8fKz+DGHURKEaSfpKVfq
ISbYPaHrGbBG1piA+fhX/pzagazXWlfwVNH2Fddu/aMSD4492J2JQSDx+Yt7J/7j
B+fLMIV88PE31jGViedVd1gREp4qxMN8yH7b0ht7BlCPqHeTQvPr0mWygYIL1z/b
9lO7/XALTENBH9bllzsS6y1b3JqM0+WU59SoPGpFj90rm/5/qGc=
=pect
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.