1733309 - Crash when parsing receiving invalid .ics file via email

Status: RESOLVED FIXED

(Calendar :: General, defect)

Description

[Frank]

Attachment: broken-minimal.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

I received an email with an invalid .ics file which causes TB to crash. Since no user interaction is necessary, a anonymous attacker can easily render targeted Thunderbird users unable to use their mail account. I therefor consider the report security sensitive.

The problem can be reproduced via

./thundebird -file broken-minimal.ics

or by opening a mail folder in TB which contains an email with an invalid .ics file attached.
An example file is provided in a zip container.

Actual results:

Best guess: The contained VCALENDAR object in the .ics file was parsed.

Thunderbird crashed.

Hint: In this specific case, removing the "RRULE" line from the .ics file prevents the crash from happening.

Expected results:

I expect a message displayed instead of a formatted calendar entry saying e.g. "Invalid calendar object".

Comment 1

[Magnus Melin [:mkmelin]]

#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:443
#1 0x00007ffff2e543d7 in icalvalue_get_recur (value=0x7fffc91f3340) at icalderivedvalue.c:867
#2 0x00007ffff2e4f57f in icalproperty_get_rrule (prop=0x7fffc91b8980) at icalderivedproperty.c:2598
#3 0x00007ffff2e42e0b in calRecurrenceRule::SetIcalProperty(calIIcalProperty*) (this=0x7fffc92b3000, aProp=0x7fffc91fe2b0)
at /home/magnus/Code/tb/mozilla/comm/calendar/base/backend/libical/calRecurrenceRule.cpp:503

Comment 2

[Magnus Melin [:mkmelin]]

Attachment: Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

Add upstream patch: https://github.com/libical/libical/commit/729ce018d46de6f8949e45bf95910ab479fff1b3

Comment 3

[Magnus Melin [:mkmelin]]

https://hg.mozilla.org/comm-central/rev/5a56078740dd1e017e2dcf26974571394870c2dc

Comment 4

[Magnus Melin [:mkmelin]]

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Approval Request Comment]
Regression caused by (bug #): not a regression
User impact if declined: can crash trying to open specific ics file
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...

Comment 5

[Wayne Mery (:wsmwk)]

Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.

Comment 7

[Wayne Mery (:wsmwk)]

(In reply to Wayne Mery (:wsmwk) from comment #5)

Needs a security rating set in keywords (looks like sec-low or sec-moderate) and vulnerability advisory write up.

Actually, I don't think this is so severe that it warrants a security rating.

Risk to taking this patch (and alternatives if risky): no alternatives. The patch has been on upstream forever so should be safe...

Rob, considering the patch is from early 2019, do you agree to taking this straight to esr?

Comment 8

[Wayne Mery (:wsmwk)]

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Triage Comment]
Approved for esr91

Comment 9

[Rob Lemley [:rjl]]

Thunderbird 91.2.0:
https://hg.mozilla.org/releases/comm-esr91/rev/6a7448b27124

Comment 10

[Rob Lemley [:rjl]]

Comment on attachment 9243678 [details]
Bug 1733309 - fix crash in icalvalue_get_recur. r=benc

[Triage Comment]
Approved for 78.15.0 by wsmwk via Matrix.