Closed Bug 1555646 (CVE-2019-11706) Opened 5 years ago Closed 5 years ago

Type confusion in icalproperty.c icaltimezone_get_vtimezone_properties


(Calendar :: General, defect)

Not set


(Not tracked)



(Reporter: u621419, Assigned: darktrojan)



(Keywords: csectype-bounds, sec-low)


(2 files)

Attached file type-confusion.eml β€”

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Steps to reproduce:

Open the attached saved message (type-confusion.eml) in Thunderbird. Receiving this message in my inbox also triggers the bug without further user interaction. The thunderbird process is killed.

Actual results:

A type confusion happens in icaltimezone_get_vtimezone_properties while trying to access a a TZID property of the wrong kind.

The bug manifests with zone->tzid = strdup (tzid); being called with tzid containing a bad pointer, wich hopefully dereferences a non-mapped address but could point to an arbitrary position when an attacker crafts a malicious ICS file. This situation happens when icaltimezone_get_vtimezone_properties is invoked with a malformed input whose TZID property has the wrong kind (ICAL_FLOAT_VALUE in this case), subsequently trying to access data->v_string (which is illegal for an ICAL_FLOAT_VALUE object.

The bug is described upstream here as "The problem was that the parser allowed any valid value type to be parsed, regardless of whether it was legal for the given property, and the code accessing the property value was assuming the default type.".

Asan report:
==16790==ERROR: AddressSanitizer: SEGV on unknown address 0x000300000000 (pc 0x7fab68e575a1 bp 0x7ffc1d697530 sp 0x7ffc1d696cb8 T0)
==16790==The signal is caused by a READ memory access.
    #0 0x7fab68e575a0  /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
    #1 0x471c2f in strdup (/opt/out/thunderbird_libical_fuzzer+0x471c2f)
    #2 0x597b10 in icaltimezone_get_location_from_vtimezone /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:311:13
    #3 0x597b10 in icaltimezone_get_vtimezone_properties /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:292
    #4 0x598697 in icaltimezone_array_append_from_vtimezone /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:1281:9
    #5 0x561c09 in icalcomponent_add_component /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalcomponent.c:572:2
    #6 0x57e647 in icalparser_add_line /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:767:6
    #7 0x57db2f in icalparser_parse /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:622:11
    #8 0x5623a3 in icalparser_parse_string /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:1235:9
    #9 0x55fa56 in LLVMFuzzerTestOneInput /opt/src/
    #10 0x43103d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/out/thunderbird_libical_fuzzer+0x43103d)
    #11 0x420aaa in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/out/thunderbird_libical_fuzzer+0x420aaa)
    #12 0x42b9e8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/out/thunderbird_libical_fuzzer+0x42b9e8)
    #13 0x41d712 in main (/opt/out/thunderbird_libical_fuzzer+0x41d712)
    #14 0x7fab68ceab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d749 in _start (/opt/out/thunderbird_libical_fuzzer+0x41d749)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59

Expected results:

No heap overflow nor corruption.

A fix can be found here

Sorry for the formatting mess =D

Component: Untriaged → General
Product: Thunderbird → Calendar
Version: 60 → unspecified
Assignee: nobody → geoff
Ever confirmed: true

Copied from except that we don't define ICAL_IMAGE_PROPERTY (commented that case out), and that RDATE should accept ICAL_DATETIME_VALUE (this seems to have been fixed upstream).

Attachment #9070516 - Flags: review?(philipp)
Attachment #9070516 - Flags: review?(philipp) → review+

Please request approval for esr and beta for the patches that need to be uplifted.

Attachment #9070516 - Flags: approval-calendar-esr?(philipp)
Attachment #9070516 - Flags: approval-calendar-beta?(philipp)
Blocks: 1557562
Attachment #9070516 - Flags: approval-calendar-esr?(philipp)
Attachment #9070516 - Flags: approval-calendar-esr+
Attachment #9070516 - Flags: approval-calendar-beta?(philipp)
Attachment #9070516 - Flags: approval-calendar-beta+
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 7.1
Target Milestone: 7.0 → 6.2.7
Alias: CVE-2019-11706
Group: mail-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.