[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] libical 0.47 SEGV on unknown address
From: Brandon Perry <bperry.volatile () gmail ! com>
Date: 2016-06-24 13:54:08
Message-ID: 6565BB80-B75B-4CE3-819D-84CCE79F0CA3 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hello lists
Attached is a test case for causing a crash in libical 0.47 (shipped with Thunderbird) and this \
was also tested against 1.0 (various versions shipped with various email clients).
=================================================================
==24662==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004fbb80 bp \
0x7ffd68d966f0 sp 0x7ffd68d96520 T0) #0 0x4fbb7f in icalproperty_new_clone \
(/root/tmp/new_parse/parse_string047_asan+0x4fbb7f) #1 0x4f44e6 in icalparser_add_line \
(/root/tmp/new_parse/parse_string047_asan+0x4f44e6) #2 0x4efabe in icalparser_parse \
(/root/tmp/new_parse/parse_string047_asan+0x4efabe) #3 0x4f9c1f in icalparser_parse_string \
(/root/tmp/new_parse/parse_string047_asan+0x4f9c1f) #4 0x4eb7ef in main \
(/root/tmp/new_parse/parse_string047_asan+0x4eb7ef) #5 0x7fb657683a3f in __libc_start_main \
/build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289 #6 0x444ae8 in _start \
(/root/tmp/new_parse/parse_string047_asan+0x444ae8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 icalproperty_new_clone
==24662==ABORTING
I am posting this to Full Disclosure/OSS instead of reporting it because I have opened a \
handful of libical bugs in the Mozilla bug tracker, alerted security@mozilla.org \
<mailto:security@mozilla.org>, and worked to show how and where to reproduce the bugs in \
Thunderbird, but Mozilla hasn't shown any care at all about the bugs. Perhaps if I give a \
sample to the community of the bugs in the bug reports, Mozilla will take the bug reports more \
seriously. This bug attached had not been reported yet.
While list members likely will not have access to these bugs, I am listing them here in case \
someone on the list can make something happen.
https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 \
<https://bugzilla.mozilla.org/show_bug.cgi?id=1275400> (Opened a month ago. After Tyson reproed \
the bug in libical, no responses).
The following three bugs are distinct heap over-reads in libical (tested against libical 0.47 \
and 1.0) which have had little to no reception by Mozilla.
https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 \
<https://bugzilla.mozilla.org/show_bug.cgi?id=1280832> \
https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 \
<https://bugzilla.mozilla.org/show_bug.cgi?id=1281041> \
https://bugzilla.mozilla.org/show_bug.cgi?id=1281043 \
<https://bugzilla.mozilla.org/show_bug.cgi?id=1281043>
My roommate mentioned Thunderbird being a second-class citizen in the Mozilla world, so if this \
is the case, this should be made explicit in regards to bug bounty expectations.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXbTuHAAoJEKJq8VjVbt2pDqUP/1iu2LiJue7hJoMzVxda8AjX
OK2FZm7YwbXqTdhjej5SerwjMdcfIpxej5BMgzw0qBiUVEzNaSzqzCiwdW1m/ST4
ob5CbDIB5nIVVuvNsduMFGgUnucGcV9VUIakBYvD7/4I2cYGMZYQszFEi2j+LFzE
CqoH9/KO+XpwtMkcxozFufc2hff4u270OpSihYnAVrpwgm3lqudD+zCwzViOjx14
PgXmZ6sAIMa67SImgi+BE/SLGA1fidVykYEQc7GnnjZgFIzajOe6OI1bklo13h63
lY++zr8obGCdnHvpq6r/KK+72wvyKENRsUxfulpvGnTjvzXlEUtyHPBIcEuAMZlr
UC35A5ym1ItSc+kEhnq2XSDeV/vNFsTJX+LBhpjT2D+t/oV4zItW+fO84o7jPXVr
TeQO4GCXZ437BKDQzkY2EAyVrheS/QEAgWAFO+nEwAYjrqyaSePcp5sayRvVnm1K
qP/TXgEVSdUkpkCyGPVqWpFwkN+rW5nVtNtiDI5Aksx4zVUfkaQgAX9w1NgqmIUb
/smeFtzNQk7YCqNa57llr0WlgyWZrTBi20dln2ytLi7NHPsgWp+TBGHklaONJZLU
l/xyq2sLYxwUgxvmEZLjEAgfjzbRJ6EZuTf06tfZFiW1isyMePmw67B7phfbO9jp
zR5sorddIRNHcHL+KWTb
=Dh0c
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic