Closed Bug 1302696 Opened 4 years ago Closed 4 years ago

Thunderbird crashes while importing a malformed .ics file

Categories

(Calendar :: Internal Components, defect)

Lightning 4.7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1282130

People

(Reporter: dhiru.kholia, Unassigned)

Details

Crash Data

Attachments

(1 file)

Attached file CVE-2016-5823.ics
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

Import the attached "CVE-2016-5823.ics" file in Thunderbird 45 from the "Events and Tasks" menu option. This file was generated during fuzzing done by Brandon Perry.


Actual results:

Thunderbird 45 crashes while importing the attached file. While running Thunderbird under Valgrind I see,

==12762== Invalid read of size 4
==12762==    at 0x3000A8E5: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so)
==12762==    by 0x3000A12F: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so)
==12762==    by 0x3000A263: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so)
==12762==    by 0x3000A361: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so)
==12762==    by 0x30014EEC: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so)
==12762==    by 0x834FDB0: NS_InvokeByIndex (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0x8771493: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0x87767C7: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0xA2214C7: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0xA21C214: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0xA221180: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==    by 0xA221426: ??? (in /usr/lib64/thunderbird/libxul.so)
==12762==  Address 0x8 is not stack'd, malloc'd or (recently) free'd






Expected results:

Thunderbird should not crash.
Here is the backtrace with debug symbols installed,

$ valgrind /usr/lib64/thunderbird/thunderbird  # import CVE-2016-5823.ics file from "Events and Tasks" menu option, Fedora 24
...
==19546== Invalid read of size 4
==19546==    at 0x30F0A8E5: icalproperty_new_clone (icalproperty.c:137)
==19546==    by 0x30F0A12F: icalparser_add_line (icalparser.c:1081)
==19546==    by 0x30F0A263: icalparser_parse (icalparser.c:623)
==19546==    by 0x30F0A361: icalparser_parse_string (icalparser.c:1250)
==19546==    by 0x30F14EEC: calICSService::ParseICS(nsACString const&, calITimezoneProvider*, calIIcalComponent**) (calICSService.cpp:1257)
==19546==    by 0x8350076: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176)
==19546==    by 0x8771895: Invoke (XPCWrappedNative.cpp:2097)
==19546==    by 0x8771895: Call (XPCWrappedNative.cpp:1414)
==19546==    by 0x8771895: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:1381)
==19546==    by 0x8776BDD: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1115)
==19546==    by 0xA221897: CallJSNative (jscntxtinlines.h:240)
==19546==    by 0xA221897: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:444)
==19546==    by 0xA21C5E4: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2766)
==19546==    by 0xA221550: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:391)
==19546==    by 0xA2217F6: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:462)
==19546==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
Brandon Perry reported several finding <https://mzl.la/2cNpAnz> but none of them seems labeled CVE-2016-5823.
Alias: CVE-2016-5823
Component: General → Internal Components
Version: unspecified → Lightning 4.7
See http://seclists.org/oss-sec/2016/q2/604 for the CVE assignment. The file "segv.ics.bug" mentioned in the CVE assignment is the same as the attached CVE-2016-5823.ics file.
Attachment #8791151 - Attachment mime type: text/calendar → text/plain
Seems this one was already reported too.
Alias: CVE-2016-5823
Status: UNCONFIRMED → RESOLVED
Crash Signature: [@ icalproperty_new_clone ]
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2016-5823
You need to log in before you can comment on or make changes to this bug.