lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Jun 2019 22:39:23 +0200
From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based
 buffer overflow in Thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtHsACgkQo5Klpg50
CxD5DRAAnruhd0PEjQV3ELUiM/9PHe5hC8rpWLqPNcuDY/dbPvg4w1qOAoXops9e
d3hJlMM2zaUeAv5MZGgxT7FIO116IFafALMjMssIC9zw3yM9oKF4s1amL/GzF+P9
vMamD3A5t5j2mHYuWFaDe+bcHak8QfmVgSRqKNvNp/rF27oWE3SgCraYFP1+RlpR
s0qbFcjLdo9SBqvpbSt3cbolrIOiS2nXER1cthmd2Ig7ga3oElEfWKZ19d+twBxx
oKqtS607p9ASfql29HDwC0VtgQPx1ySRBestYDtjsD2d97bAaAhA2/Kkpx6A/H91
EbiSyKByO3vs+nQzTdkI/xNN9edBly6se3WKaDBIfZOzWCsXwcUtUKpnAw5YMf/n
BoaDzv/D70Sk3GfXOD9qb2bMNFCEQdeZh3O1Tmmzi3kXa9kQJfdIDdjfeeDd7h87
r6vtYeHA7mVM2BGteO5FHQhooJVSi+gcGg9esj5656YznRS9zbc7KgkWJiItwMhj
hiBL7r8v2M0Gzx4qhhCg+gxl+ikBaYCgZh9WGi4fsekwufwEnnCnQxN52ZE9vBia
BJJGpPbGkVaxDCJXOfQDvJiovbG4ekK54tavqLBXaH/KuucMFGaE95gPSKnxn8LD
0QwpeLzad2bSiolSHux5RBR/t5d4znzjce/qxIpRQdWcgu9kzTs=
=1OOu
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists