oss-sec mailing list archives
Re: kopano-core 11.0.1: Remote DoS by memory exhaustion
From: Robert Scheck <robert () fedoraproject org>
Date: Sun, 21 Mar 2021 15:30:11 +0100
On Fri, 19 Mar 2021, Jan Engelhardt wrote:
Initial publication, no CVE number yet (will request). # Affected versions * kopano-core 11.0.1 (current head of 11.x branch) * kopano-core 10.0.7 (head of 10.x branch) * kopano-core 9.1.0 (head of 9.x branch) * kopano-core 8.7.16 * it is believed this affects all versions to date, including zarafa 7.2.6, the discontinued predecessor project to Kopano, sometimes still in use.
I hereby confirm the trigger, but I would like to correct the affected versions regarding the Zarafa predecessor project to be more precise for the CVE: * Zarafa 7.2.x: Affected (tested myself) * Zarafa 7.1.x: Affected (tested myself) * Zarafa 7.0.x: Affected (tested myself) * Zarafa 6.40.x: Affected (tested myself) * Zarafa 6.30.x: Affected (tested myself) * Zarafa 6.2x: Not affected (tested myself) * Zarafa 6.1x: Not affected (tested myself) * Zarafa 6.0x: Not affected (tested myself) * Zarafa 5.2x: Not affected (tested myself) * Zarafa 5.1x: Most likely not affected (but not tested myself) * Zarafa 5.0x: Not applicable (no zarafa-ical component) * Zarafa 4.2x: Not applicable (no zarafa-ical component) As a conclusion the flaw issue was introduced after Zarafa 6.20.13 Final (SVN Rev. 19023) and before Zarafa 6.30.0 Beta 1 (SVN Rev. 13713). Given the crash and error messages in old Zarafa versions look different than in more recent Zarafa/Kopano versions, here is how it looked for me when tracking down the version introducing the flaw: Starting zarafa-ical version 6,30,14,20002 (20002), pid 4937 Pid 4943 caught SIGSEGV (6), traceback: 0x0000000040ad4a /usr/bin/zarafa-ical(_Z7sigsegvi+0x5a) [0x40ad4a] 0x002ac38a5a4ca0 /lib64/libpthread.so.0 [0x2ac38a5a4ca0] 0x002ac38a7e1fc5 /lib64/libc.so.6(gsignal+0x35) [0x2ac38a7e1fc5] 0x002ac38a7e3a70 /lib64/libc.so.6(abort+0x110) [0x2ac38a7e3a70] 0x002ac389ec2d94 /usr/lib64/libstdc++.so.6(_ZN9__gnu_cxx27__verbose_terminate_handlerEv+0x114) [0x2ac389ec2d94] 0x002ac389ec0e46 /usr/lib64/libstdc++.so.6 [0x2ac389ec0e46] 0x002ac389ec0e73 /usr/lib64/libstdc++.so.6 [0x2ac389ec0e73] 0x002ac389ec0f71 /usr/lib64/libstdc++.so.6 [0x2ac389ec0f71] 0x002ac389ec12b9 /usr/lib64/libstdc++.so.6(_Znwm+0x79) [0x2ac389ec12b9] 0x002ac389e9f861 /usr/lib64/libstdc++.so.6(_ZNSs4_Rep9_S_createEmmRKSaIcE+0x21) [0x2ac389e9f861] 0x002ac389ea023b /usr/lib64/libstdc++.so.6(_ZNSs4_Rep8_M_cloneERKSaIcEm+0x2b) [0x2ac389ea023b] 0x002ac389ea0b45 /usr/lib64/libstdc++.so.6(_ZNSs7reserveEm+0x45) [0x2ac389ea0b45] 0x002ac389ea0faf /usr/lib64/libstdc++.so.6(_ZNSs6appendERKSs+0x4f) [0x2ac389ea0faf] 0x0000000041ec94 /usr/bin/zarafa-ical(_ZN4Http13HrReadHeadersEv+0xa4) [0x41ec94] 0x0000000040bcb7 /usr/bin/zarafa-ical(_Z15HrHandleRequestP9ECChannelPP12IMAPISession+0x127) [0x40bcb7] 0x0000000040d612 /usr/bin/zarafa-ical(_Z13HandlerClientPv+0x42) [0x40d612] 0x00000000430bf0 /usr/bin/zarafa-ical(_Z18unix_fork_functionPFPvS_ES_+0x40) [0x430bf0] 0x0000000040ab6d /usr/bin/zarafa-ical(_Z20HrStartHandlerClientP9ECChannelb+0xbd) [0x40ab6d] 0x0000000040b0c5 /usr/bin/zarafa-ical(_Z20HrProcessConnectionsii+0x1c5) [0x40b0c5] 0x0000000040ba14 /usr/bin/zarafa-ical(main+0x484) [0x40ba14] 0x002ac38a7cf9f4 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2ac38a7cf9f4] 0x0000000040a989 /usr/bin/zarafa-ical(__gxx_personality_v0+0x2a9) [0x40a989] And yes, Zarafa is a discontinued project/product, but sometimes still in active/production use. Kind regards Robert Scheck
Attachment:
_bin
Description:
Current thread:
- kopano-core 11.0.1: Remote DoS by memory exhaustion Jan Engelhardt (Mar 19)
- Re: kopano-core 11.0.1: Remote DoS by memory exhaustion Robert Scheck (Mar 21)