CVE-2016-5827

Vulnerability

The icaltime_from_string function in libical versions 0.47 and 1.0 performs an out-of-bounds heap read when parsing a specially crafted string. The bug is reachable through the icalparser_parse_string function, which processes iCalendar data. An attacker can trigger the vulnerability by providing a malicious .ics file or calendar input that includes a crafted date-time string [1][2].

Exploitation

An attacker needs only to supply a crafted iCalendar string to a service or application that uses libical to parse calendar data. The icalparser_parse_string function processes the input and calls icaltime_from_string, which then reads beyond the allocated heap buffer. No authentication or special privileges are required; the attack can be performed remotely over the network (e.g., via email clients that parse attached .ics files). The flaw manifests as a segmentation fault or an AddressSanitizer-reported heap over-read [1].

Impact

Successful exploitation causes a denial of service (DoS) due to an out-of-bounds heap read, which can crash the application or service. The vulnerability does not lead to code execution or information disclosure beyond the heap memory layout; its primary impact is service disruption. The crash occurs in the context of the process handling the calendar data, potentially affecting email clients or calendar applications [1][2].

Mitigation

The libical maintainer confirmed that the issue was fixed in the libical 3.0 branch, and users are advised to upgrade to libical 3.0.8 or later [2]. Versions 0.47 and 1.0 are affected and no longer receive patches. As of the last update in the bug tracker, the resolution was marked WORKSFORME (meaning the reporter did not reproduce on newer versions) and closed in 2021; the CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.