On behalf of the Plone/Zope Security Team and the icalendar maintainers, I announce the following.

Summary:
Component.__eq__ compares subcomponents in O(2^n) time relative to nesting depth. Because the parser accepts arbitrarily nested components, a sub-kilobyte .ics file is enough to make a single equality check run for minutes or hang indefinitely. Any application that compares parsed components (==, !=, in, set/dict membership, deduplication, test assertions) against attacker-supplied calendar data is exposed to denial of service.

icalendar 7.1.0, 7.1.1, and 7.1.2 are affected. It is fixed in icalendar 7.1.3. Earlier versions are not affected.
(Version 7.2.0 was released today, and also has the fix.)

For details see https://github.com/collective/icalendar/security/advisories/GHSA-cv84-9p8j-fj68

Kind regards,

Maurits van Rees



Reply via email to