Bug 1196952 (CVE-2022-24741)

Summary: VUL-1: CVE-2022-24741: nextcloud: High memory usage for generating preview of broken image
Product: [openSUSE] openSUSE Distribution Reporter: Thomas Leroy <thomas.leroy>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/325660/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-03-10 08:25:20 UTC
CVE-2022-24741

Nextcloud server is an open source, self hosted cloud style services platform.
In affected versions an attacker can cause a denial of service by uploading
specially crafted files which will cause the server to allocate too much memory
/ CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 ,
22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with
the `'enable_previews'` config flag.

Upstream fix:
https://github.com/nextcloud/server/pull/30291/commits/d3d65e5c889fc3922efc7a8c764027763bc4764f

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24741
https://github.com/nextcloud/server/pull/30291
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89
http://www.cvedetails.com/cve/CVE-2022-24741/
https://hackerone.com/reports/1261225
Comment 1 Thomas Leroy 2022-03-10 08:30:58 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3          v20.0.7
- openSUSE:Backports:SLE-15-SP3:Update   v20.0.14
- openSUSE:Backports:SLE-15-SP4          v23.0.0
Comment 2 Eric Schirra 2022-03-10 14:01:17 UTC
Can't do an mr!

osc mr -m "Security update see boo#1196905, boo#1196908 and boo#1196952"

rise up following error:

Using target project 'openSUSE:Maintenance'
Server returned an error: HTTP Error 400: Bad Request
Maintenance incident request contains release target project openSUSE:Backports:SLE-15-SP4 with invalid project kind "standard" (should be "maintenance_release") for package nextcloud.openSUSE_Backports_SLE-15-SP4

I have generate first the dirs with following command, wich i use for several mr in the past:

osc mbranch nextcloud
Comment 3 OBSbugzilla Bot 2022-03-18 13:30:11 UTC
This is an autogenerated message for OBS integration:
This bug (1196952) was mentioned in
https://build.opensuse.org/request/show/962687 Backports:SLE-12 / nextcloud
https://build.opensuse.org/request/show/962688 Backports:SLE-15-SP3 / nextcloud
https://build.opensuse.org/request/show/962689 Backports:SLE-15-SP4 / nextcloud
Comment 4 Swamp Workflow Management 2022-03-23 20:16:28 UTC
openSUSE-SU-2022:0089-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nextcloud-21.0.9-37.1
Comment 5 Swamp Workflow Management 2022-03-31 13:17:37 UTC
openSUSE-SU-2022:0098-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    nextcloud-21.0.9-bp153.2.12.1
Comment 6 Eric Schirra 2022-04-08 11:41:37 UTC
Leap 15.4 has version 23.0.2