CVE-2016-5823 Libical Project CVE debrief

Who should care

Teams running software that parses iCalendar (.ics) content through libical 0.47 or 1.0 should pay attention, especially desktop calendar clients, mail clients, groupware components, and any service that imports or previews ICS files.

Technical summary

NVD describes the weakness as CWE-416 (use-after-free) in icalproperty_new_clone. The vulnerable conditions are listed for libical 0.47 and 1.0. The attack requires a crafted ICS file to be processed by the affected code path, and the CVSS vector provided by NVD is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-dependent availability impact.

Defensive priority

Medium. This is not a confidentiality or integrity issue, but it can crash or disable applications that consume untrusted ICS input. Prioritize if your environment accepts calendar content from external sources or automatically imports attachments.

Recommended defensive actions

• Identify whether any deployed software links against libical 0.47 or 1.0.
• Upgrade to a libical release that includes the fix, or apply the vendor/package update recommended by your platform.
• Treat ICS files from untrusted sources as potentially hostile until patched.
• If you cannot patch immediately, reduce exposure by limiting automatic ICS import and preview workflows.
• Validate any third-party packages or appliances that bundle libical, not just direct installations.

Evidence notes

The CVE description states that icalproperty_new_clone in libical 0.47 and 1.0 allows remote attackers to cause a denial of service via a crafted ICS file. NVD classifies the weakness as CWE-416 and lists the vulnerable CPEs for libical 0.47 and 1.0. The official record was published on 2017-01-27, and the source references include an oss-security mailing list post and a Gentoo GLSA.

Official resources