Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aGjzK1UFoeXtepdL@eldamar.lan>
Date: Sat, 5 Jul 2025 11:40:59 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: DoS segfault (NULL pointer deref) in SOPE / SOGo

Hi,

On Wed, Jul 02, 2025 at 07:01:52PM +0200, Stefan Bühler wrote:
> Hello,
> 
> I found a DoS bug in SOPE, the set of Objective-C frameworks powering
> SOGo [1].
> 
> It is way too easy to trigger with curl:
> 
>     curl -d 'x=' 'https://.../SOGo/?x='
> 
> As far as I can tell all versions since SOGo-2.0.2 (2012-10-29) are
> affected.
> 
> # Details
> 
> I found it inspecting multiple SOGo crashes triggered by someone
> hitting URLs like `/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE`
> with `POST` that my search engine associates with "Oracle E-Business
> Suite (EBS)".
> 
> The crash happens in NGHashMap.m line 790 [2], as root->last is NULL:
> 
>     root->last->next = element;
> 
> NGHashMap maps a key to a single-linked list of values.
> 
> It turns out `-[NGMutableHashMap addObjects:count:forKey:]` is the
> only function maintaining the `root->last` pointer; everything else in
> this file doesn't touch it.
> 
> The SOPE request handling first parses the POST body for
> "formParameters", then clones that NGHashMap (the copied nodes have
> `last == NULL`), and then merges the query string parameters into it;
> if there is a duplicate key the bug triggers.
> 
> I'd like to point out that the linked-list implementation is quite
> bad.  It wastes memory by using the same struct for the root node
> (with count and last metadata) and the member nodes, and seems to
> throw exceptions (e.g. when values are nil) but isn't exception
> safe (metadata isn't updated consistently).
> 
> See attached patch for an attempt to maintain the `last` pointer
> properly across all methods; it seems to work for me (on top of
> 5.8.0-1 in debian/bookworm); submitted to upstream in [4].
> 
> In the long run at least the linked-list implementation should
> probably be replaced by using some properly tested library.
> 
> The `last` handling was introduced in dfceefc 2012-10-15 [3], and I
> think it has been broken since then.
> 
> (I haven't actually tried to reproduce it with latest upstream, but I
> don't think any of the code has been touched in relevant ways.)

FTR, CVE-2025-53603 has been assigned for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.