Closed Bug 1855540 Opened 8 months ago Closed 5 months ago

Receiving email with crafted iCalendar file causes denial of service

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 115
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1850732

People

(Reporter: g33kex, Unassigned)

Details

(Keywords: regression)

Attachments

(1 file)

freeze.eml
532 bytes, message/rfc822
Details
Attached file freeze.eml

Steps to reproduce:

Receive an email with an attached event invitation in a ics file containing an invalid RRULE in the VTIMEZONE section. There is no need to open the email, it just needs to be present in the inbox. An example of such email is provided in freeze.eml. Sending this email to any Thunderbird 115 user will trigger the bug. Of course, opening the email using thunderbird freeze.eml will also trigger the bug.

Actual results:

Thunderbird freezes when the email is received and the interface is unresponsive. Restarting Thunderbird causes a freeze a few seconds after launch. The freeze will occur as long as the email is in any folder. This causes a permanent denial of service for the user receiving of the malicious email, without any user interaction needed.

Expected results:

Thunderbird should handle correctly an invalid RRULE in iCalendar files and not enter an infinite loop.

This security issue is caused by Bug 1850732 and Thunderbird automatically analyzing iCalendar attachments. Maybe iCalendar attachments should not be parsed before the user tries to import the event.

See Also: → 1850732

Doesn't freeze for me when I load that .eml - not opening it, and not if it's in a folder.

Thunderbird doesn't automatically analyze mails that were not opened. Some add-on might do that. Can you reproduce in safe-mode (Help | Troubleshoot mode)?

Which exact Thunderbird version are you running?

Keywords: regression
Regressed by: 1850732
See Also: 1850732

Magnus, maybe you couldn't reproduce because you're using a build that already has the fix for bug 1850732 ?

Is my understanding correct, g33kex simply used a file that triggers bug that bug?

If that's what g33kex, then I don't see the point in this new bug report. Of course, a bug with an endless loop is a way to DoS the software. But the issue is known, and we're working on getting it fixed in the next 115.x update.

That's probably the case yes. Reporter, please clarify as you wrote "caused by Bug 1850732"

I reproduced in Thunderbird 115.2.2 and Thunderbird 115.3.0, in safe-mode, on a fresh Ubuntu 22.04 install.

I'm aware the root cause of this particular bug is fixed in 1850732, but the additional issue is that simply receiving the email triggers the bug. This means that the code handling the iCalendar attachment, that may contain other bugs such as this one, somehow runs before the email is opened. I think this behavior is unsafe because it converts a local harmless freeze into a remote one.

This is just a symptom of bug 1850732 which isn't fixed in 115 - it didn't cause what the reporter is describing, so this is not a regression of 1850732 .
The cause is bug 1149470.

Flags: needinfo?(mkmelin+mozilla)

Indeed this is just bug 1850732. We can't fix it more than once.

Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1850732
Flags: needinfo?(mkmelin+mozilla)
No longer regressed by: 1850732
Resolution: --- → DUPLICATE

We are three months past this being fixed in the current release. Time to remove the security setting and open it up?

Status: RESOLVED → UNCONFIRMED
No longer duplicate of bug: 1850732
Flags: needinfo?(mkmelin+mozilla)
Resolution: DUPLICATE → ---

Let's open it up yes. It's a dupe though.

Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago5 months ago
Duplicate of bug: 1850732
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: