#VU17266 Use-after-free in libical


Published: 2019-01-30

Vulnerability identifier: #VU17266

Vulnerability risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-5824

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libical
Universal components / Libraries / Libraries used by multiple products

Vendor: libical

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a use-after-free error when processing ics Calendar files. A remote attackers can trick the victim to open a specially crafted calendar file, trigger user-after-free error and crash the affected application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libical: 0.47 - 1.0.1

External links
http://www.openwall.com/lists/oss-security/2016/06/25/4
http://www.openwall.com/lists/oss-security/2017/01/20/16
http://bugzilla.mozilla.org/show_bug.cgi?id=1275400
http://github.com/libical/libical/issues/235
http://github.com/libical/libical/issues/251
http://github.com/libical/libical/issues/286

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Gentoo update for Libical
Ubuntu update for Thunderbird
OpenSUSE Linux update for MozillaThunderbird
OpenSUSE Linux update for MozillaThunderbird
OpenSUSE Linux update for MozillaThunderbird
Red Hat update for thunderbird
Red Hat update for thunderbird
Multiple vulnerabilities in Mozilla Thunderbird
Multiple vulnerabilities in libical