Crash when parsing receiving invalid .ics file via email
Categories
(Calendar :: General, defect)
Tracking
(thunderbird_esr91+ fixed)
People
(Reporter: mozilla-bugs, Assigned: mkmelin)
References
()
Details
Attachments
(2 files)
|
532 bytes,
application/zip
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
rjl
:
approval-comm-esr78+
wsmwk
:
approval-comm-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
I received an email with an invalid .ics file which causes TB to crash. Since no user interaction is necessary, a anonymous attacker can easily render targeted Thunderbird users unable to use their mail account. I therefor consider the report security sensitive.
The problem can be reproduced via
./thundebird -file broken-minimal.ics
or by opening a mail folder in TB which contains an email with an invalid .ics file attached.
An example file is provided in a zip container.
Actual results:
Best guess: The contained VCALENDAR object in the .ics file was parsed.
Thunderbird crashed.
Hint: In this specific case, removing the "RRULE" line from the .ics file prevents the crash from happening.
Expected results:
I expect a message displayed instead of a formatted calendar entry saying e.g. "Invalid calendar object".
|
Assignee | |
Comment 1•3 years ago
|
||
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:443
#1 0x00007ffff2e543d7 in icalvalue_get_recur (value=0x7fffc91f3340) at icalderivedvalue.c:867
#2 0x00007ffff2e4f57f in icalproperty_get_rrule (prop=0x7fffc91b8980) at icalderivedproperty.c:2598
#3 0x00007ffff2e42e0b in calRecurrenceRule::SetIcalProperty(calIIcalProperty*) (this=0x7fffc92b3000, aProp=0x7fffc91fe2b0)
at /home/magnus/Code/tb/mozilla/comm/calendar/base/backend/libical/calRecurrenceRule.cpp:503
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
|
|
Assignee | |
Comment 4•3 years ago
|
||
Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc
[Approval Request Comment]
Regression caused by (bug #): not a regression
User impact if declined: can crash trying to open specific ics file
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...
|
||
Comment 5•3 years ago
|
||
Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.
|
|
||
Comment 7•3 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #5)
Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.
Actually, I don't think this is so severe that it warrants a security rating.
Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...
Rob, considering the patch is from early 2019, do you agree to taking this straight to esr?
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc
[Triage Comment]
Approved for esr91
|
|
||
Updated•3 years ago
|
|
||
Comment 9•3 years ago
|
||
| bugherder uplift | ||
Thunderbird 91.2.0:
https://hg.mozilla.org/releases/comm-esr91/rev/6a7448b27124
|
|
||
Updated•3 years ago
|
|
|
||
Comment 10•3 years ago
|
||
Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc
[Triage Comment]
Approved for 78.15.0 by wsmwk via Matrix.
Description
•