Bug 755551 (CVE-2011-4320)

Summary: CVE-2011-4320 ejabberd (mod_pubsub): DoS (infinite loop, excessive CPU consumption) by processing malformed <publish> stanza
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkaluza, lemenkov, martin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:50:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 755556, 755557, 755558    
Bug Blocks:    

Description Jan Lieskovsky 2011-11-21 13:19:58 UTC 
A denial of service flaw was found in the way PubSub extension of the ejabberd, a distributed, fault-tolerant Jabber/XMPP server, performed processing of certain, malformed <publish/> stanzas. A remote attacker, authenticated Jabber user, could send a specially-crafted request to Jabber server, leading to the jabberd daemon to enter an infinite loop and consume excessive amount of CPU, while processing the stanza.

References:
[1] http://www.ejabberd.im/ejabberd-2.1.9

Upstream bug report:
[2] https://support.process-one.net/browse/EJAB-1498

Relevant upstream commits:
[3] https://git.process-one.net/ejabberd/mainline/commit/d3c4eab46f3cd54f7686cfed740d9c130b6801cf
    (original fix to correct the EJAB-1498 issue),
[4] https://git.process-one.net/ejabberd/mainline/commit/fa08db7091f5ba904f337e30ec7c9a46857eb36d
    (correction of broken PEP upon [3] commit)
Comment 1 Jan Lieskovsky 2011-11-21 13:23:01 UTC 
This issue affects the versions of the ejabberd package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 releases. Please schedule an update.

--

This issue affects the versions of the ejabberd package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-11-21 13:26:23 UTC 
Created ejabberd tracking bugs for this issue

Affects: epel-5 [bug 755556]
Affects: epel-6 [bug 755557]
Affects: fedora-all [bug 755558]
Comment 3 Jan Lieskovsky 2011-11-21 13:32:20 UTC 
CVE assignment:
[5] http://www.openwall.com/lists/oss-security/2011/11/19/2
Comment 4 Peter Lemenkov 2011-11-22 07:53:11 UTC 
Sorry for the hiatus, folks.

I'm working on packaging 2.1.9 right now. The only issue I need to resolve is that ejabberd in Fedora is shipped with custom module for GSSAPI support - I'm working on rebasing it on top of 2.1.9 tag (I plan to finish it in a couple of hours).

Also I plan to tightly integrate it with systemd, so expect update tomorrow morning (~ 08.00 UTC).
Comment 5 Peter Lemenkov 2011-11-22 13:08:01 UTC 
Ok, I added first two builds for F-15 and F-16 (no builds for F-14 - sorry for that). Will add EL-[56] builds later.
Comment 6 Peter Lemenkov 2012-05-06 13:27:23 UTC 
This was fixed long time ago. Can we just close this now?