Source: libical Version: 1.0-1.3 Severity: important Tags: security upstream
Hi, the following vulnerability was published for libical. CVE-2016-9584[0]: | libical allows remote attackers to cause a denial of service | (use-after-free) and possibly read heap memory via a crafted ics file. The SuSE bugzilla entry contains a helper paerser which can be used to trigger the issue, with the read62.ics provided by Agustin Mista (but it is not public, and needs to be requested to Agustin Mista currently, should ideally be made public by the reporter though). The issue is then reproducible under valgrind with both 1.0-1.3 and 2.0.0-0.5. ==956== Memcheck, a memory error detector ==956== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==956== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==956== Command: ./icaltestparser ./read62.ics ==956== ==956== Invalid read of size 1 ==956== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) ==956== by 0x50F3DA2: vfprintf (vfprintf.c:1637) ==956== by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956== by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956== by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2a4 is 4 bytes inside a block of size 66 free'd ==956== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956== by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956== by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956== at 0x4C2EDB4: strlen (vg_replace_strmem.c:454) ==956== by 0x50F3DA2: vfprintf (vfprintf.c:1637) ==956== by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956== by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956== by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2a5 is 5 bytes inside a block of size 66 free'd ==956== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956== by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956== by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956== at 0x4C330A8: __GI_mempcpy (vg_replace_strmem.c:1518) ==956== by 0x511FBFD: _IO_default_xsputn (genops.c:438) ==956== by 0x50F3BDA: vfprintf (vfprintf.c:1637) ==956== by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956== by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956== by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2e0 is 64 bytes inside a block of size 66 free'd ==956== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956== by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956== by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956== at 0x4C330B8: __GI_mempcpy (vg_replace_strmem.c:1518) ==956== by 0x511FBFD: _IO_default_xsputn (genops.c:438) ==956== by 0x50F3BDA: vfprintf (vfprintf.c:1637) ==956== by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956== by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956== by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2de is 62 bytes inside a block of size 66 free'd ==956== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956== by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956== by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956== at 0x511FB98: _IO_default_xsputn (genops.c:450) ==956== by 0x50F3BDA: vfprintf (vfprintf.c:1637) ==956== by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956== by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956== by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849f494 is 4 bytes inside a block of size 6 free'd ==956== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956== by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956== by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956== by 0x108B7E: main (icaltestparser.c:112) ==956== [...] If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9584 [1] https://bugzilla.novell.com/show_bug.cgi?id=1015964 Regards, Salvatore