Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2016-5824: use-after-free issues #286

Closed
rhertzog opened this issue Jan 20, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@rhertzog
Copy link

commented Jan 20, 2017

@brandonprry has been fuzzing libical last year and found some issues, he reported them first in #235 but closed the ticket when he opened the same ticket against thunderbird in the hope to get more answers: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 Also lacking any positive answer there, he published all his fuzzing results here: https://github.com/brandonprry/ical-fuzz

At this point it's not clear whether those issues have been fixed in libical and if they have, it would be nice to know which commit fixed them. This is the point of this ticket.

A CVE number has been assigned to those issues: https://security-tracker.debian.org/tracker/CVE-2016-5824 (CVE assignment here: http://seclists.org/oss-sec/2016/q2/604)

@rhertzog

This comment has been minimized.

Copy link
Author

commented Jan 27, 2017

Apparently #251 might be related.

@winterz

This comment has been minimized.

Copy link
Member

commented Jan 27, 2017

right. I had individual issues already assigned for those CVEs. all of them are fixed now except for #253 which we don't know what to do about.

@winterz winterz closed this Jan 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.