ASA-2019-00352 – Mozilla Thunderbird: Heap-based buffer overflow in parser_get_next_char()


Allele Security Alert

ASA-2019-00352

Identifier(s)

ASA-2019-00352, X41-2019-002, CVE-2019-11703, MFSA2019-17

Title

Heap-based buffer overflow in parser_get_next_char()

Vendor(s)

Mozilla

Product(s)

Mozilla Thunderbird

Affected version(s)

Mozilla Thunderbird versions before 60.7.1

Fixed version(s)

Mozilla Thunderbird version 60.7.1

Proof of concept

Yes

Description

A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.

The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system.

Technical details

A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string.

The issue initially manifests with out of bounds read, but we don’t discard it could later lead to out of bounds write.

It is expected that an attacker can exploit this vulnerability to achieve remote code execution.

Credits

Luis Merino (X41 D-SEC GmbH)

Reference(s)

ADVISORY X41-2019-002: HEAP-BASED BUFFER OVERFLOW IN THUNDERBIRD
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird/

Security vulnerabilities fixed in Thunderbird 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11703

advisories/X41-2019-002 at master · x41sec/advisories
https://github.com/x41sec/advisories/tree/master/X41-2019-002

X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird
https://seclists.org/oss-sec/2019/q2/158

Heap buffer overread in libical (icalparser_parse_string function)
https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

CVE-2019-11703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11703

CVE-2019-11703
https://nvd.nist.gov/vuln/detail/CVE-2019-11703

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.