Closed
Bug 1302696
Opened 8 years ago
Closed 8 years ago
Thunderbird crashes while importing a malformed .ics file
Categories
(Calendar :: Internal Components, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1282130
People
(Reporter: dhiru.kholia, Unassigned)
Details
Crash Data
Attachments
(1 file)
7.99 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: Import the attached "CVE-2016-5823.ics" file in Thunderbird 45 from the "Events and Tasks" menu option. This file was generated during fuzzing done by Brandon Perry. Actual results: Thunderbird 45 crashes while importing the attached file. While running Thunderbird under Valgrind I see, ==12762== Invalid read of size 4 ==12762== at 0x3000A8E5: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so) ==12762== by 0x3000A12F: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so) ==12762== by 0x3000A263: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so) ==12762== by 0x3000A361: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so) ==12762== by 0x30014EEC: ??? (in /home/user/.thunderbird/cupk658m.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so) ==12762== by 0x834FDB0: NS_InvokeByIndex (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0x8771493: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0x87767C7: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0xA2214C7: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0xA21C214: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0xA221180: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== by 0xA221426: ??? (in /usr/lib64/thunderbird/libxul.so) ==12762== Address 0x8 is not stack'd, malloc'd or (recently) free'd Expected results: Thunderbird should not crash.
Reporter | ||
Comment 1•8 years ago
|
||
Here is the backtrace with debug symbols installed, $ valgrind /usr/lib64/thunderbird/thunderbird # import CVE-2016-5823.ics file from "Events and Tasks" menu option, Fedora 24 ... ==19546== Invalid read of size 4 ==19546== at 0x30F0A8E5: icalproperty_new_clone (icalproperty.c:137) ==19546== by 0x30F0A12F: icalparser_add_line (icalparser.c:1081) ==19546== by 0x30F0A263: icalparser_parse (icalparser.c:623) ==19546== by 0x30F0A361: icalparser_parse_string (icalparser.c:1250) ==19546== by 0x30F14EEC: calICSService::ParseICS(nsACString const&, calITimezoneProvider*, calIIcalComponent**) (calICSService.cpp:1257) ==19546== by 0x8350076: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176) ==19546== by 0x8771895: Invoke (XPCWrappedNative.cpp:2097) ==19546== by 0x8771895: Call (XPCWrappedNative.cpp:1414) ==19546== by 0x8771895: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:1381) ==19546== by 0x8776BDD: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1115) ==19546== by 0xA221897: CallJSNative (jscntxtinlines.h:240) ==19546== by 0xA221897: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:444) ==19546== by 0xA21C5E4: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2766) ==19546== by 0xA221550: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:391) ==19546== by 0xA2217F6: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:462) ==19546== Address 0x8 is not stack'd, malloc'd or (recently) free'd
Comment 2•8 years ago
|
||
Brandon Perry reported several finding <https://mzl.la/2cNpAnz> but none of them seems labeled CVE-2016-5823.
Alias: CVE-2016-5823
Component: General → Internal Components
Version: unspecified → Lightning 4.7
Reporter | ||
Comment 3•8 years ago
|
||
See http://seclists.org/oss-sec/2016/q2/604 for the CVE assignment. The file "segv.ics.bug" mentioned in the CVE assignment is the same as the attached CVE-2016-5823.ics file.
Updated•8 years ago
|
Attachment #8791151 -
Attachment mime type: text/calendar → text/plain
Comment 4•8 years ago
|
||
Seems this one was already reported too.
Alias: CVE-2016-5823
Status: UNCONFIRMED → RESOLVED
Crash Signature: [@ icalproperty_new_clone ]
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•