Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#12159 closed enhancement (fixed)

thunderbird-60.7.2

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: highest Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Security related for 0days related to libical.

Change History (7)

comment:1 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Priority: normalhighest
Status: newassigned

Now 60.7.2

Fixes more 0days, related to the ones that Firefox recently had fixed. Promoting to critical. Will update information with vulnerability information and release notes shortly.

comment:2 by Douglas R. Reno, 2 years ago

Summary: thunderbird-60.7.1thunderbird-60.7.2

Actually bump the version

comment:3 by Douglas R. Reno, 2 years ago

First, here's the release notes from both 60.7.1 and 60.7.2

60.7.1

What’s New

    fixed

    No prompt for smartcard PIN when S/MIME signing is used
    fixed

    Various security fixes

Known Issues

    unresolved

    Due to changes in the Mozilla platform profiles stored on Windows network shares addressed via drive letters are now addressed via UNC
    unresolved

    Chat: Twitter not working due to API changes at Twitter.com

60.7.2

What’s New

    fixed

    Various security fixes

Known Issues

    unresolved

    Due to changes in the Mozilla platform profiles stored on Windows network shares addressed via drive letters are now addressed via UNC
    unresolved

    Chat: Twitter not working due to API changes at Twitter.com

MSFA2019-17

Security vulnerabilities fixed in Thunderbird 60.7.1

Announced
    June 13, 2019
Impact
    high
Products
    Thunderbird
Fixed in
    Thunderbird 60.7.1

#CVE-2019-11703: Heap buffer overflow in icalparser.c

Reporter
    Luis Merino of X41 D-Sec
Impact
    high

Description

A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash.
References

    Bug 1553820

#CVE-2019-11704: Heap buffer overflow in icalvalue.c

Reporter
    Luis Merino of X41 D-Sec
Impact
    high

Description

A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash.
References

    Bug 1553814

#CVE-2019-11705: Stack buffer overflow in icalrecur.c

Reporter
    Luis Merino of X41 D-Sec
Impact
    high

Description

A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash.
References

    Bug 1553808

#CVE-2019-11706: Type confusion in icalproperty.c

Reporter
    Luis Merino of X41 D-Sec
Impact
    low

Description

A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash.
References

    Bug 1555646

MSFA2019-20

Security vulnerabilities fixed in Thunderbird 60.7.2

Announced
    June 20, 2019
Impact
    high
Products
    Thunderbird
Fixed in
    Thunderbird 60.7.2

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2019-11707: Type confusion in Array.pop

Reporter
    Samuel Groß of Google Project Zero, Coinbase Security
Impact
    critical

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
References

    Bug 1544386

#CVE-2019-11708: sandbox escape using Prompt:Open

Reporter
    Coinbase Security
Impact
    high

Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
References

    Bug 1559858

comment:4 by Douglas R. Reno, 2 years ago

Here's the information on the libical-related 0days by X41.

CVE-2019-11704 / X41-2019-001

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
    char *pout = out;
    // ...
    for (p = str; *p!=0; p++){
        if( *p == '\')
        {
            p++;
        // ...
        else
    {
            *pout = *p;
    }
    }
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

CVE-2019-11703 / X41-2019-002

X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

CVE-2019-11705 / X41-2019-003

X41 D-Sec GmbH Security Advisory: X41-2019-003

Stack-based buffer overflow in Thunderbird
==========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11705
CWE: 121
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird

Summary and Impact
==================
A stack-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.

~~~
static int icalrecuraddbydayrules(struct icalrecurparser *parser,
                                    const char *vals)
{
    short *array = parser->rt.byday;
    // ...
    while (n != 0) {
    // ...
        if (wd != ICALNOWEEKDAY) {
            array[i++] = (short) (sign * (wd + 8 * weekno));
            array[i] = ICALRECURRENCEARRAYMAX;
    }
}
~~~

Missing sanity checks in `icalrecuradd_bydayrules()can lead to
out of bounds write in aarraywhenweekno` takes an invalid value.
The issue manifests as an out-of-bounds write in a stack allocated
buffer overflow.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution when proper stack smashing mitigations
are missing.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-003

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

CVE-2019-11706 / X41-2019-004

X41 D-Sec GmbH Security Advisory: X41-2019-004

Type confusion in Thunderbird
=============================
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact
==================
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

comment:5 by Douglas R. Reno, 2 years ago

Once this is fixed, I'm going to write a notice to the list and an errata suggesting that users upgrade ASAP due to the libical vulnerability.

All you have to do is receive an email with a .ICS file that has the payload in it - you don't even have to open it. This is due to the way that Thunderbird processes and indexes mails while it's downloading them.

comment:6 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21730

comment:7 by Bruce Dubbs, 2 years ago

Milestone: 8.59.0

Milestone renamed

Note: See TracTickets for help on using tickets.