Re: CVE-2016-9584: heap use-after-free on libical

[Raphael Hertzog <hertzog () debian org>]

Hello,

On Thu, 15 Dec 2016, Agustin Mista wrote:
> We found a heap use-after-free in a recent revision of libical (
> f3688b444f820cecf51b1539b0856a392c0fdb0f),
> using a specially crafted ics file. This bugs looks particularly dangerous
> since it allows to read a big chunk of the heap memory.

I see you reported multiple bugs on github's libical issues page:
https://github.com/libical/libical/issues/251
https://github.com/libical/libical/issues/252
https://github.com/libical/libical/issues/253

Looking at the backtrace, it seems that #253 is the same as this one.
Do you confirm?

Any reason why you did not request a CVE for #251?

> It is worth to mention there is a very similar bug found (CVE-2016-5824) on
> the libical version used by
> Thunderbird but we think is *not* the same as this one. In fact, we've
> tested it on Thunderbird and it does *not* crash.
>
> The reproducer is available upon request.

#253 has a reproducer here:
https://github.com/libical/libical/files/627392/heap-use-after-free.ical.txt

Is this the same file?

If it's a different file, then I'd like to have access to the file but I
would prefer if it was just available publicly and not to me only.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/