Receiving email with crafted iCalendar file causes denial of service
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: g33kex, Unassigned)
Details
(Keywords: regression)
Attachments
(1 file)
532 bytes,
message/rfc822
|
Details |
Steps to reproduce:
Receive an email with an attached event invitation in a ics file containing an invalid RRULE in the VTIMEZONE section. There is no need to open the email, it just needs to be present in the inbox. An example of such email is provided in freeze.eml. Sending this email to any Thunderbird 115 user will trigger the bug. Of course, opening the email using thunderbird freeze.eml
will also trigger the bug.
Actual results:
Thunderbird freezes when the email is received and the interface is unresponsive. Restarting Thunderbird causes a freeze a few seconds after launch. The freeze will occur as long as the email is in any folder. This causes a permanent denial of service for the user receiving of the malicious email, without any user interaction needed.
Expected results:
Thunderbird should handle correctly an invalid RRULE in iCalendar files and not enter an infinite loop.
This security issue is caused by Bug 1850732 and Thunderbird automatically analyzing iCalendar attachments. Maybe iCalendar attachments should not be parsed before the user tries to import the event.
Comment 1•8 months ago
|
||
Doesn't freeze for me when I load that .eml - not opening it, and not if it's in a folder.
Thunderbird doesn't automatically analyze mails that were not opened. Some add-on might do that. Can you reproduce in safe-mode (Help | Troubleshoot mode)?
Which exact Thunderbird version are you running?
Comment 2•8 months ago
|
||
Magnus, maybe you couldn't reproduce because you're using a build that already has the fix for bug 1850732 ?
Is my understanding correct, g33kex simply used a file that triggers bug that bug?
If that's what g33kex, then I don't see the point in this new bug report. Of course, a bug with an endless loop is a way to DoS the software. But the issue is known, and we're working on getting it fixed in the next 115.x update.
Comment 3•8 months ago
|
||
That's probably the case yes. Reporter, please clarify as you wrote "caused by Bug 1850732"
I reproduced in Thunderbird 115.2.2 and Thunderbird 115.3.0, in safe-mode, on a fresh Ubuntu 22.04 install.
I'm aware the root cause of this particular bug is fixed in 1850732, but the additional issue is that simply receiving the email triggers the bug. This means that the code handling the iCalendar attachment, that may contain other bugs such as this one, somehow runs before the email is opened. I think this behavior is unsafe because it converts a local harmless freeze into a remote one.
Comment 5•8 months ago
|
||
This is just a symptom of bug 1850732 which isn't fixed in 115 - it didn't cause what the reporter is describing, so this is not a regression of 1850732 .
The cause is bug 1149470.
Comment 6•8 months ago
|
||
Indeed this is just bug 1850732. We can't fix it more than once.
Comment 7•5 months ago
|
||
We are three months past this being fixed in the current release. Time to remove the security setting and open it up?
Comment 8•5 months ago
|
||
Let's open it up yes. It's a dupe though.
Description
•