GMS-2021-91: S3 storage write is not aborted on errors leading to unbounded memory usage

October 6, 2021

Impact

Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql.

storage.imapsql local_mailboxes {
  ...
  msg_store s3 {
    ...
  }
}

Patches

The relevant commit is pushed to master and will be included in the 0.5.1 release.

No special handling of the issue has been done due to the small amount of affected users.

Workarounds

None.

References

Original report: https://github.com/foxcpp/maddy/issues/395
Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8

References

github.com/advisories/GHSA-m6m5-pp4g-fcc8
github.com/foxcpp/maddy/security/advisories/GHSA-m6m5-pp4g-fcc8

Code Behaviors & Features

Detect and mitigate GMS-2021-91 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →