Re: CVE request: several SOGo issues (DOS, XSS, information leakage)

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> SOGo #3510:  DOS attack through uploading malicious attachments
> Fix:         http://github.com/inverse-inc/sogo/commit/32bb1456e23a32c7f45079c3985bf732dd0d276d
> Issue:       https://sogo.nu/bugs/view.php?id=3510

> > 1. Create a large file, for example `dd if=/dev/zero of=/tmp/1GB bs=1M count=1000`
> > 2. Open new mail in SOGo, try to attach large file
> > 3. If attachment fails, some memory gets freed, but not all of it
> > 4. Repeat 1-3 until server crashes
 
> The issues was resolved by limiting the upload size ...
>
> Further investigation showed that not memcached was the issue but
> temporary files kept around

Use CVE-2016-6188.


> SOGo #3695:  Private information leakage through ics/XML feeds when restricted to "View the Date & Time" 
> Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
> Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
> Issue:       https://sogo.nu/bugs/view.php?id=3695

> 1. Not all private information removed for the public free/busy view

> > I was able to observe following fields containing critical information:
> >
> > - ORGANIZER (who invited the calendar owner?)
> > - X-ALT-DESC (Outlook-specific extended copy of the description?) 

Use CVE-2016-6189.


> SOGo #3696:  Meta information can be derived from UID/DTSTAMP attributes though
> "View the Date & Time" restricted access Backend Calendar
> Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
> Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
> Issue:       https://sogo.nu/bugs/view.php?id=3696

> 2. It was possible to join appointments based on the UID of the
>    public free/busy view from different users, to know who has
>    appointments with whom

> > one can derive common appointments between other people

Use CVE-2016-6190.


> SOGo #3718:  Persistent Cross-Site Scripting in calendar
> Issue:       https://sogo.nu/bugs/view.php?id=3718
> Fix:         http://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa

> > When creating a calendar entry containing script code

Use CVE-2016-6191.


> SOGo #2598:  Script injection in calendar title
> Fixes:       - https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9
>              - https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
>              - https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501
>              - https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625
> Issue:       https://sogo.nu/bugs/view.php?id=2598
>
> The (now public) issue log says I realized the issue also exists with contacts

> > Add injection code, for example in the "Display" name field

Use CVE-2014-9905 for the XSS issues in both the calendar title and
the contacts module.


We cannot yet send a CVE ID here for the non-public issue #3670.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXgRd2AAoJEHb/MwWLVhi2A5wP/j6sHW/jtA04EIw4E0KiQRFt
wI9QOZ1BdyptWssGcq0r5FV8p1sdVsjiFn607Dj8uVXjf1Txpai7/Z7Dpl3Ssejh
LXdABo+TDnCM49n0CKyQUzSF+HfaUoU2HRar+48pB1KqYx+hahE4TVZ+14L9etvg
UMJzkeu/cEzS8vh6G9VFp0vEOAhWuhcfKqBVrMjU2hFSCHLJVrvduO05uvMlJ0fJ
B5nLcAR6OCiFcqZ+ttHtxOCSZD96bpogBAkxCMsl7rz6iZpwqMdhJrh+8wf5cIfn
T2v+5fPRiM0/rm0NCjI8bWd87pI7ZWr+FNbuqwkPeGwHtYpwrMryfMaiMmqdSf+V
rxaKOsYwh5vr6IddVBQAQF+OmVBj71wfsydl71HvZdp4vLCZcr8EgpaQPFjltC//
2EEsQ7dsfJIGY9GfarYPVuwLN2psqiUkf1x1KvEPzcSFJn+w0LLx2qxeGwFc3X0m
11MYp+v0C1LVmYwaf+vNrnMf537sN+K8s6pN80Hf+t7lB3hEmilyeaPoXWxOyF8s
t3hAJ6isrhTZ10xqX6nFz1I69piNp4IEJQ7SgbXJoI8BJEDucYC99G/VBaB2j3WA
JdXI5I1fZZ/rTPT3EcBrM8psMWJmOGNUBnZmJfFpalIfkrD9OqKkvtovNm+EF/we
XHadO9HsP5kU7/eTgBEf
=Uq/q
-----END PGP SIGNATURE-----