Bug 986632 (CVE-2016-5823) - VUL-0: CVE-2016-5823: libical: segv on unknown address
Summary: VUL-0: CVE-2016-5823: libical: segv on unknown address
Status: RESOLVED FIXED
Alias: CVE-2016-5823
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170522/
Whiteboard: CVSSv2:SUSE:CVE-2016-5823:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-27 11:40 UTC by Marcus Meissner
Modified: 2020-01-14 14:11 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
segv.ics.bug (7.99 KB, text/plain)
2016-06-27 11:42 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-27 11:40:52 UTC 
http://seclists.org/oss-sec/2016/q2/604
CVE-2016-5823

Hello lists

Attached is a test case for causing a crash in libical 0.47 (shipped =
with Thunderbird) and this was also tested against 1.0 (various versions =
shipped with various email clients).


ERROR: AddressSanitizer: SEGV on unknown address =
0x000000000008 (pc 0x0000004fbb80 bp 0x7ffd68d966f0 sp 0x7ffd68d96520 =
T0)
    #0 0x4fbb7f in icalproperty_new_clone =
(/root/tmp/new_parse/parse_string047_asan+0x4fbb7f)
    #1 0x4f44e6 in icalparser_add_line =
(/root/tmp/new_parse/parse_string047_asan+0x4f44e6)
    #2 0x4efabe in icalparser_parse =
(/root/tmp/new_parse/parse_string047_asan+0x4efabe)
    #3 0x4f9c1f in icalparser_parse_string =
(/root/tmp/new_parse/parse_string047_asan+0x4f9c1f)
    #4 0x4eb7ef in main =
(/root/tmp/new_parse/parse_string047_asan+0x4eb7ef)
    #5 0x7fb657683a3f in __libc_start_main =
/build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289
    #6 0x444ae8 in _start =
(/root/tmp/new_parse/parse_string047_asan+0x444ae8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 icalproperty_new_clone
=3D=3D24662=3D=3DABORTING



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5823
Comment 1 Marcus Meissner 2016-06-27 11:42:02 UTC 
Created attachment 682209 [details]
segv.ics.bug

QA REPRODUCER:

rename to segv.ics

import into e.g. thunderbird or evolution

should not crash
Comment 2 Swamp Workflow Management 2016-06-27 22:01:44 UTC 
bugbot adjusting priority
Comment 4 jun wang 2017-07-25 09:11:07 UTC 
(In reply to Marcus Meissner from comment #1)
> Created attachment 682209 [details]
> segv.ics.bug
> 
> QA REPRODUCER:
> 
> rename to segv.ics
> 
> import into e.g. thunderbird or evolution
> 
> should not crash

I didn't import "segv.ics" into evolution.
evolution doesn't think this file is "ics" fromat.

At the same time, no "thunderbird" in our platform.
so this issue was NOT reproduced.
Comment 5 jun wang 2017-07-25 09:12:47 UTC 
(In reply to jun wang from comment #4)
> (In reply to Marcus Meissner from comment #1)
> > Created attachment 682209 [details]
> > segv.ics.bug
> > 
> > QA REPRODUCER:
> > 
> > rename to segv.ics
> > 
> > import into e.g. thunderbird or evolution
> > 
> > should not crash
> 
> I didn't import "segv.ics" into evolution.
> evolution doesn't think this file is "ics" fromat.
> 
> At the same time, no "thunderbird" in our platform.
> so this issue was NOT reproduced.

this process is on SLE11SP4.
Comment 6 jun wang 2017-07-25 09:26:52 UTC 
(In reply to jun wang from comment #5)
> (In reply to jun wang from comment #4)
> > (In reply to Marcus Meissner from comment #1)
> > I didn't import "segv.ics" into evolution.
> > evolution doesn't think this file is "ics" fromat.
> > 
> > At the same time, no "thunderbird" in our platform.
> > so this issue was NOT reproduced.
> 
> this process is on SLE11SP4.

This issue was NOT reproduced on SLE12SP2.
Comment 7 jun wang 2017-07-26 07:57:37 UTC 
before updating, I can't import "ics" test file into evolution.
I think that evolution doesn't think "segv.ics" is a standard format.

after updating, I can, but crashed.
this is the log:
http://pastebin.suse.de/23514
Comment 8 Victor Pereira 2017-08-22 12:47:23 UTC 
Hi Michael,

could you please check the comment #c7 and tell us if you are able to reproduce it?
Comment 9 Michael Gorse 2017-08-22 21:34:11 UTC 
(In reply to Victor Pereira from comment #8)
> Hi Michael,
> 
> could you please check the comment #c7 and tell us if you are able to
> reproduce it?

I apologize; I'd forgotten about this. Thanks for the reminder. Yes, I can reproduce it; I'll need to investigate whether the problem is in libical or in evolution.
Comment 12 Martin Pluskal 2018-01-17 09:14:35 UTC 
With present update candidate for SLE:11 I can't import malformed calendar (segv.ics) but importing sample ics files I found around internet seems to work - see example in https://qam.suse.de/testreports/SUSE:Maintenance:5206:151210/log so I would guess that observed behavior is expected and correct.
Comment 13 Swamp Workflow Management 2018-01-17 14:07:58 UTC 
SUSE-SU-2018:0119-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1015964,1044995,986631,986632,986639,986642,986658
CVE References: CVE-2016-5823,CVE-2016-5824,CVE-2016-5825,CVE-2016-5826,CVE-2016-5827,CVE-2016-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libical-0.43-1.10.6.1
SUSE Linux Enterprise Server 11-SP4 (src):    libical-0.43-1.10.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libical-0.43-1.10.6.1
Comment 14 Wolfgang Frisch 2020-01-14 14:11:22 UTC 
Not reproducible on SUSE:SLE-12:Update.
Evolution does not consider the reproducer a valid .ics file.