Closed
Bug 314337
Opened 19 years ago
Closed 2 years ago
calling addSubcomponent on an already-present VTIMEZONE can lead to crashes and other badness (libical)
Categories
(Calendar :: Internal Components, defect)
Calendar
Internal Components
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: dmosedale, Unassigned)
References
Details
(Keywords: crash, sec-audit)
Mostly orthogonal to the issues raised in bug 314334, calling addSubcomponent on a VTIMEZONE will ultimately lead to crashes while serializing. Scenario: Caller adds an item or event to the calendar which contains a certain VTIMEZONE. Later, caller adds a copy of the same VTIMEZONE component directly to the calendar. At serialization time, the calIComponent code enumerates the list of all timezones referenced by events in the calendar, and then adds them by calling icalcomponent_merge_component on a VCALENDAR containing only a VTIMEZONE component. During this operation, libical notices that this timezone is already present, and decides that it can just free the passed-in copy. icalcomponent_free ends up freeing it twice: first with the icaltimezone_free() that is called by icalcomponent_remove_component at <http://lxr.mozilla.org/mozilla/source/calendar/libical/src/libical/icalcomponent.c#248> and then again directly by calling icalcomponent_free recursively on the very next line. We might be able to get away with just not supporting calling AddSubcomponent with VTIMEZONE and throwing an exception when someone tries. I suspect that the reason this bug has not been noticed in libical before is because our merging of calendars containing only timezone components may be something that no other user of libical does. Also relevant here (and could perhaps be used as a workaround fix): currently GetReferencedTimezones doesn't notice a VTIMEZONE component that's passed in directly; it only notices stuff that's referenced by DATETIME properties.
Reporter | ||
Updated•19 years ago
|
Component: Base → libical
Updated•19 years ago
|
QA Contact: base → libical
Unfortunately, I do not have cycles to work on Calendar stuff these days (just as it's getting to the good part!), so I am a bad owner for these bugs. To delete the tragically-large chunk of bugspam, search for gregorianabdication.
Assignee: shaver → nobody
Updated•18 years ago
|
Flags: blocking0.3?
Updated•18 years ago
|
Component: libical → Internal Components
Comment 2•18 years ago
|
||
The bugspam monkeys have been set free and are feeding on Calendar :: Internal Components. Be afraid for your sanity!
QA Contact: libical → base
Comment 3•18 years ago
|
||
Major interop blocker.
Flags: blocking0.3? → blocking0.3+
Whiteboard: [swag:3d]
Comment 5•18 years ago
|
||
dmose: i'm not sure whether or not i completely understand this issue. icalcomponent_merge_component() takes two VCALENDAR components and merges the second one into the first, the second one will no longer exist after this function returns. but in AddTimezoneComponentToIcal() the VTIMEZONE component is explicetly cloned before being passed to icalcomponent_merge_component(). http://lxr.mozilla.org/seamonkey/source/calendar/base/src/calICSService.cpp#958 Could you please shed some light in here???
Updated•18 years ago
|
Whiteboard: [swag:3d] → [swag:3d][needs input from dmose]
Updated•18 years ago
|
Whiteboard: [swag:3d][needs input from dmose] → [swag:3d][needs input from dmose][no l10n impact]
Reporter | ||
Comment 6•18 years ago
|
||
After looking at talkback, I think this is mostly a theoretical problem if it's a real problem at all. I can't see any crashes which happened after the addSubcomponent fix that look like they should be attributed to this.
Flags: blocking0.3+ → blocking0.3-
Target Milestone: --- → Sunbird 0.5
Comment 7•18 years ago
|
||
Fixing what dmose meant
Comment 8•18 years ago
|
||
i think we should close this one. WONTFIX?
Reporter | ||
Comment 9•18 years ago
|
||
Since many crashes can lead to security bugs, I'd like to be convinced that the code here is not exploitable before we close this bug. If you'd rather not have it on your bug radar, feel free to re-assign to me.
Whiteboard: [swag:3d][needs input from dmose][no l10n impact]
Comment 11•18 years ago
|
||
This needs to be either determined to be a non-issue or fixed as part of the timezone work.
Flags: blocking-calendar0.5+
Priority: -- → P1
Comment 12•17 years ago
|
||
This bug is currently blocking 0.5 release. Is there a testcase or steps to reproduce the crash in current branch builds? I have not seen talkback reports or bug reports that show this issue.
Comment 13•17 years ago
|
||
Since we have no real STR and this is theoretical, I'm inclined to minus this for 0.5. Also reassigning to nobody@m.o.
Assignee: dmose → nobody
Flags: blocking-calendar0.5+ → blocking-calendar0.5-
Priority: P1 → --
Updated•17 years ago
|
Flags: blocking-calendar0.5-
Updated•14 years ago
|
Severity: normal → critical
Updated•13 years ago
|
Comment 15•12 years ago
|
||
Is this bug still valid for the current codebase?
Keywords: sec-audit
Whiteboard: [sg: audit]
Comment 16•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #15) > Is this bug still valid for the current codebase?
Flags: needinfo?(philipp)
Comment 17•8 years ago
|
||
Given we didn't make any major changes to libical in the past years I assume this is still valid.
Flags: needinfo?(philipp)
Comment 18•5 years ago
|
||
Does this still deserve sec-audit?
Flags: needinfo?(kaie)
Summary: calling addSubcomponent on an already-present VTIMEZONE can lead to crashes and other badness → calling addSubcomponent on an already-present VTIMEZONE can lead to crashes and other badness (libical)
Comment 19•3 years ago
|
||
With libcal going away, perhaps we don't care about this
Flags: needinfo?(kaie)
Comment 20•2 years ago
|
||
libical has now been removed - bug 1787097.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•