Allele Security Alert
ASA-2019-00352
Identifier(s)
ASA-2019-00352, X41-2019-002, CVE-2019-11703, MFSA2019-17
Title
Heap-based buffer overflow in parser_get_next_char()
Vendor(s)
Mozilla
Product(s)
Mozilla Thunderbird
Affected version(s)
Mozilla Thunderbird versions before 60.7.1
Fixed version(s)
Mozilla Thunderbird version 60.7.1
Proof of concept
Yes
Description
A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system.
Technical details
A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don’t discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to achieve remote code execution.
Credits
Luis Merino (X41 D-SEC GmbH)
Reference(s)
ADVISORY X41-2019-002: HEAP-BASED BUFFER OVERFLOW IN THUNDERBIRD
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird/
Security vulnerabilities fixed in Thunderbird 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11703
advisories/X41-2019-002 at master · x41sec/advisories
https://github.com/x41sec/advisories/tree/master/X41-2019-002
X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird
https://seclists.org/oss-sec/2019/q2/158
Heap buffer overread in libical (icalparser_parse_string function)
https://bugzilla.mozilla.org/show_bug.cgi?id=1281041
CVE-2019-11703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11703
CVE-2019-11703
https://nvd.nist.gov/vuln/detail/CVE-2019-11703
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 23, 2019