GHSA-m6m5-pp4g-fcc8

Suggest an improvement
Source
https://github.com/advisories/GHSA-m6m5-pp4g-fcc8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-m6m5-pp4g-fcc8/GHSA-m6m5-pp4g-fcc8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m6m5-pp4g-fcc8
Published
2021-10-06T17:47:35Z
Modified
2021-10-06T16:48:49Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
S3 storage write is not aborted on errors leading to unbounded memory usage
Details

Impact

Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql.

storage.imapsql local_mailboxes {
  ...
  msg_store s3 {
    ...
  }
}

Patches

The relevant commit is pushed to master and will be included in the 0.5.1 release.

No special handling of the issue has been done due to the small amount of affected users.

Workarounds

None.

References

  • Original report: https://github.com/foxcpp/maddy/issues/395
  • Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8
References

Affected packages

Go / github.com/foxcpp/maddy

Package

Name
github.com/foxcpp/maddy
View open source insights on deps.dev
Purl
pkg:golang/github.com/foxcpp/maddy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.1