Allele Security Alert
ASA-2019-00352, X41-2019-002, CVE-2019-11703, MFSA2019-17
Heap-based buffer overflow in parser_get_next_char()
Mozilla Thunderbird versions before 60.7.1
Mozilla Thunderbird version 60.7.1
Proof of concept
A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system.
A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don’t discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to achieve remote code execution.
Luis Merino (X41 D-SEC GmbH)
ADVISORY X41-2019-002: HEAP-BASED BUFFER OVERFLOW IN THUNDERBIRD
Security vulnerabilities fixed in Thunderbird 60.7.1
advisories/X41-2019-002 at master · x41sec/advisories
X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird
Heap buffer overread in libical (icalparser_parse_string function)
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 23, 2019