Closed Bug 1555646 (CVE-2019-11706) Opened 5 years ago Closed 5 years ago

Type confusion in icalproperty.c icaltimezone_get_vtimezone_properties

Categories

(Calendar :: General, defect)

Product:
Calendar
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: u621419, Assigned: darktrojan)

References

Details

(Keywords: csectype-bounds, sec-low)

Attachments

(2 files)

type-confusion.eml
(deleted), message/rfc822
Details
1555646-parser-types-1.diff
(deleted), patch
Fallen
: review+
Fallen
: approval-calendar-beta+
Fallen
: approval-calendar-esr+
Details | Diff | Splinter Review
Attached file type-confusion.eml (deleted) —

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Steps to reproduce:

Open the attached saved message (type-confusion.eml) in Thunderbird. Receiving this message in my inbox also triggers the bug without further user interaction. The thunderbird process is killed.

Actual results:

A type confusion happens in icaltimezone_get_vtimezone_properties while trying to access a a TZID property of the wrong kind.

The bug manifests with zone->tzid = strdup (tzid); being called with tzid containing a bad pointer, wich hopefully dereferences a non-mapped address but could point to an arbitrary position when an attacker crafts a malicious ICS file. This situation happens when icaltimezone_get_vtimezone_properties is invoked with a malformed input whose TZID property has the wrong kind (ICAL_FLOAT_VALUE in this case), subsequently trying to access data->v_string (which is illegal for an ICAL_FLOAT_VALUE object.

The bug is described upstream here https://github.com/libical/libical/issues/263 as "The problem was that the parser allowed any valid value type to be parsed, regardless of whether it was legal for the given property, and the code accessing the property value was assuming the default type.".

Asan report:
==16790==ERROR: AddressSanitizer: SEGV on unknown address 0x000300000000 (pc 0x7fab68e575a1 bp 0x7ffc1d697530 sp 0x7ffc1d696cb8 T0)
==16790==The signal is caused by a READ memory access.
    #0 0x7fab68e575a0  /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
    #1 0x471c2f in strdup (/opt/out/thunderbird_libical_fuzzer+0x471c2f)
    #2 0x597b10 in icaltimezone_get_location_from_vtimezone /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:311:13
    #3 0x597b10 in icaltimezone_get_vtimezone_properties /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:292
    #4 0x598697 in icaltimezone_array_append_from_vtimezone /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icaltimezone.c:1281:9
    #5 0x561c09 in icalcomponent_add_component /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalcomponent.c:572:2
    #6 0x57e647 in icalparser_add_line /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:767:6
    #7 0x57db2f in icalparser_parse /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:622:11
    #8 0x5623a3 in icalparser_parse_string /opt/src/thunderbird-60.6.1/comm/calendar/libical/src/libical/icalparser.c:1235:9
    #9 0x55fa56 in LLVMFuzzerTestOneInput /opt/src/fuzzer.cc:13:38
    #10 0x43103d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/out/thunderbird_libical_fuzzer+0x43103d)
    #11 0x420aaa in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/out/thunderbird_libical_fuzzer+0x420aaa)
    #12 0x42b9e8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/out/thunderbird_libical_fuzzer+0x42b9e8)
    #13 0x41d712 in main (/opt/out/thunderbird_libical_fuzzer+0x41d712)
    #14 0x7fab68ceab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d749 in _start (/opt/out/thunderbird_libical_fuzzer+0x41d749)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59

Expected results:

No heap overflow nor corruption.

A fix can be found here https://github.com/libical/libical/commit/53e68ff6e2133c54ff44df53e8b75ef21125fb3d.

Sorry for the formatting mess =D

Component: Untriaged → General
Product: Thunderbird → Calendar
Version: 60 → unspecified
Assignee: nobody → geoff
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch 1555646-parser-types-1.diff (deleted) — Splinter Review

Copied from https://github.com/libical/libical/commit/53e68ff6e2133c54ff44df53e8b75ef21125fb3d except that we don't define ICAL_IMAGE_PROPERTY (commented that case out), and that RDATE should accept ICAL_DATETIME_VALUE (this seems to have been fixed upstream).

Attachment #9070516 - Flags: review?(philipp)
Attachment #9070516 - Flags: review?(philipp) → review+

Please request approval for esr and beta for the patches that need to be uplifted.

Attachment #9070516 - Flags: approval-calendar-esr?(philipp)
Attachment #9070516 - Flags: approval-calendar-beta?(philipp)
Blocks: 1557562
Attachment #9070516 - Flags: approval-calendar-esr?(philipp)
Attachment #9070516 - Flags: approval-calendar-esr+
Attachment #9070516 - Flags: approval-calendar-beta?(philipp)
Attachment #9070516 - Flags: approval-calendar-beta+

https://hg.mozilla.org/comm-central/rev/b27953c5a381358c0480d73971a5c91adabecb1e

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 7.1

TB 60.7.1 ESR / Cal 6.2.7.1:
https://hg.mozilla.org/releases/comm-esr60/rev/92c00c2241054e5f40c7224fcac1305879f5af4f

Target Milestone: 7.0 → 6.2.7
Alias: CVE-2019-11706
Group: mail-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: