oss-sec mailing list archives
Re: CVE-2016-9584: heap use-after-free on libical
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Fri, 20 Jan 2017 11:55:01 -0300
2017-01-20 8:26 GMT-03:00 Raphael Hertzog <hertzog () debian org>:
Hello,
Hello Raphael, I'm working with Agustín to report this issues (he is our student in fact), but he is on holidays now, so I will answer your questions.
On Thu, 15 Dec 2016, Agustin Mista wrote:We found a heap use-after-free in a recent revision of libical ( f3688b444f820cecf51b1539b0856a392c0fdb0f), using a specially crafted ics file. This bugs looks particularly dangerous since it allows to read a big chunk of the heap memory.I see you reported multiple bugs on github's libical issues page: https://github.com/libical/libical/issues/251 https://github.com/libical/libical/issues/252 https://github.com/libical/libical/issues/253 Looking at the backtrace, it seems that #253 is the same as this one. Do you confirm?
Yes, it is.
Any reason why you did not request a CVE for #251?
Yes. It was already reported here: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 (CVE-2016-5824) but it was never officially reported upstream (and therefore, never fixed).
It is worth to mention there is a very similar bug found (CVE-2016-5824) on the libical version used by Thunderbird but we think is *not* the same as this one. In fact, we've tested it on Thunderbird and it does *not* crash. The reproducer is available upon request.#253 has a reproducer here: https://github.com/libical/libical/files/627392/heap-use-after-free.ical.txt Is this the same file?
It is not the same file in fact. We found a variation of the original input that trigger this read out-of-bounds to read more than 60 bytes. This looks more serious than usual (maybe you can read as much as you want) . We had some complains in the past for making public test cases ..
If it's a different file, then I'd like to have access to the file but I would prefer if it was just available publicly and not to me only.
Feel free to make the file public if you want.
Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Current thread:
- Re: CVE-2016-9584: heap use-after-free on libical Raphael Hertzog (Jan 20)
- Re: CVE-2016-9584: heap use-after-free on libical Gustavo Grieco (Jan 20)
- Re: CVE-2016-9584: heap use-after-free on libical Raphael Hertzog (Jan 27)
- Re: CVE-2016-9584: heap use-after-free on libical Gustavo Grieco (Jan 27)
- Re: CVE-2016-9584: heap use-after-free on libical Raphael Hertzog (Jan 27)
- Re: CVE-2016-9584: heap use-after-free on libical Gustavo Grieco (Jan 20)