Bug 1137595 - (CVE-2019-11703) VUL-0: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706: MozillaThunderbird: multiple vulnerabilities
(CVE-2019-11703)
VUL-0: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706: MozillaTh...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Martin Sirringhaus
Security Team bot
https://smash.suse.de/issue/235084/
CVSSv3:SUSE:CVE-2019-11703:9.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-07 09:14 UTC by Robert Frohl
Modified: 2020-01-27 08:30 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 17 Marcus Meissner 2019-06-14 05:16:38 UTC
now public

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
    char *pout = out;
    // ...
    for (p = str; *p!=0; p++){
        if( *p == '\')
        {
            p++;
        // ...
        else
    {
            *pout = *p;
    }
    }
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
Comment 18 Marcus Meissner 2019-06-14 05:17:40 UTC
X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released
Comment 19 Marcus Meissner 2019-06-14 05:18:00 UTC
X41 D-Sec GmbH Security Advisory: X41-2019-003

Stack-based buffer overflow in Thunderbird
==========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11705
CWE: 121
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird

Summary and Impact
==================
A stack-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.

~~~
static int icalrecuraddbydayrules(struct icalrecurparser *parser,
                                    const char *vals)
{
    short *array = parser->rt.byday;
    // ...
    while (n != 0) {
    // ...
        if (wd != ICALNOWEEKDAY) {
            array[i++] = (short) (sign * (wd + 8 * weekno));
            array[i] = ICALRECURRENCEARRAYMAX;
    }
}
~~~

Missing sanity checks in `icalrecuradd_bydayrules()can lead to
out of bounds write in aarraywhenweekno` takes an invalid value.
The issue manifests as an out-of-bounds write in a stack allocated
buffer overflow.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution when proper stack smashing mitigations
are missing.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-003

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released
Comment 20 Marcus Meissner 2019-06-14 05:18:21 UTC
X41 D-Sec GmbH Security Advisory: X41-2019-004

Type confusion in Thunderbird
=============================
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact
==================
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released
Comment 21 Swamp Workflow Management 2019-06-14 06:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1137595) was mentioned in
https://build.opensuse.org/request/show/709837 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/709838 42.3 / MozillaThunderbird
Comment 22 Swamp Workflow Management 2019-06-14 16:11:31 UTC
SUSE-SU-2019:1495-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1137595
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-60.7.0-3.36.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-60.7.0-3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2019-06-18 16:50:11 UTC
openSUSE-SU-2019:1577-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1137595
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-60.7.1-95.1
Comment 25 Swamp Workflow Management 2019-06-18 19:11:40 UTC
openSUSE-SU-2019:1583-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1137595
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-60.7.0-lp151.2.4.1
openSUSE Leap 15.0 (src):    MozillaThunderbird-60.7.0-lp150.3.41.1
Comment 26 Swamp Workflow Management 2019-06-22 19:10:56 UTC
SUSE-SU-2019:1683-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1137595,1138872
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-60.7.2-3.43.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-60.7.2-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2019-06-24 13:38:36 UTC
openSUSE-SU-2019:1606-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1137595,1138872
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-60.7.2-lp151.2.7.1
openSUSE Leap 15.0 (src):    MozillaThunderbird-60.7.2-lp150.3.45.1
Comment 29 Swamp Workflow Management 2019-06-24 18:10:20 UTC
This is an autogenerated message for OBS integration:
This bug (1137595) was mentioned in
https://build.opensuse.org/request/show/711723 Backports:SLE-12 / MozillaThunderbird
Comment 30 Swamp Workflow Management 2019-06-28 13:12:09 UTC
openSUSE-SU-2019:1664-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 1130694,1133267,1135824,1137595,1138872
CVE References: CVE-2018-18511,CVE-2019-11691,CVE-2019-11692,CVE-2019-11693,CVE-2019-11694,CVE-2019-11698,CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708,CVE-2019-5798,CVE-2019-7317,CVE-2019-9797,CVE-2019-9800,CVE-2019-9815,CVE-2019-9816,CVE-2019-9817,CVE-2019-9818,CVE-2019-9819,CVE-2019-9820
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-60.7.2-85.1
Comment 31 Martin Sirringhaus 2020-01-27 08:30:59 UTC
Fixed months ago.