Closed Bug 1733309 Opened 1 year ago Closed 1 year ago

Crash when parsing receiving invalid .ics file via email

Categories

(Calendar :: General, defect)

Thunderbird 91
Unspecified
All
defect

Tracking

(thunderbird_esr91+ fixed)

RESOLVED FIXED
94 Branch
Tracking Status
thunderbird_esr91 + fixed

People

(Reporter: mozilla-bugs, Assigned: mkmelin)

References

()

Details

Attachments

(2 files)

Attached file broken-minimal.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

I received an email with an invalid .ics file which causes TB to crash. Since no user interaction is necessary, a anonymous attacker can easily render targeted Thunderbird users unable to use their mail account. I therefor consider the report security sensitive.

The problem can be reproduced via

./thundebird -file broken-minimal.ics

or by opening a mail folder in TB which contains an email with an invalid .ics file attached.
An example file is provided in a zip container.

Actual results:

Best guess: The contained VCALENDAR object in the .ics file was parsed.

Thunderbird crashed.

Hint: In this specific case, removing the "RRULE" line from the .ics file prevents the crash from happening.

Expected results:

I expect a message displayed instead of a formatted calendar entry saying e.g. "Invalid calendar object".

#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:443
#1 0x00007ffff2e543d7 in icalvalue_get_recur (value=0x7fffc91f3340) at icalderivedvalue.c:867
#2 0x00007ffff2e4f57f in icalproperty_get_rrule (prop=0x7fffc91b8980) at icalderivedproperty.c:2598
#3 0x00007ffff2e42e0b in calRecurrenceRule::SetIcalProperty(calIIcalProperty*) (this=0x7fffc92b3000, aProp=0x7fffc91fe2b0)
at /home/magnus/Code/tb/mozilla/comm/calendar/base/backend/libical/calRecurrenceRule.cpp:503

Component: Untriaged → General
Product: Thunderbird → Calendar
Assignee: nobody → mkmelin+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → 94 Branch
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Approval Request Comment]
Regression caused by (bug #): not a regression
User impact if declined: can crash trying to open specific ics file
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...

Attachment #9243678 - Flags: approval-comm-esr91?

Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.

Duplicate of this bug: 1726774

(In reply to Wayne Mery (:wsmwk) from comment #5)

Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.

Actually, I don't think this is so severe that it warrants a security rating.

Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...

Rob, considering the patch is from early 2019, do you agree to taking this straight to esr?

Group: mail-core-security
Flags: needinfo?(rob)
OS: Unspecified → All

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Triage Comment]
Approved for esr91

Attachment #9243678 - Flags: approval-comm-esr91? → approval-comm-esr91+
Flags: needinfo?(rob)

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Triage Comment]
Approved for 78.15.0 by wsmwk via Matrix.

Attachment #9243678 - Flags: approval-comm-esr78+
Duplicate of this bug: 1730388
You need to log in before you can comment on or make changes to this bug.