Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNm01LXBwNGctZmNjOM0WNA

S3 storage write is not aborted on errors leading to unbounded memory usage

Impact

Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql.

storage.imapsql local_mailboxes {
  ...
  msg_store s3 {
    ...
  }
}

Patches

The relevant commit is pushed to master and will be included in the 0.5.1 release.

No special handling of the issue has been done due to the small amount of affected users.

Workarounds

None.

References

Original report: https://github.com/foxcpp/maddy/issues/395
Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8

Permalink: https://github.com/advisories/GHSA-m6m5-pp4g-fcc8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNm01LXBwNGctZmNjOM0WNA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-m6m5-pp4g-fcc8
References:

Repository: https://github.com/foxcpp/maddy
Blast Radius: 2.3

Affected Packages

go:github.com/foxcpp/maddy

Dependent packages: 3
Dependent repositories: 2
Downloads:
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1