Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771738 (CVE-2021-20247) - <net-mail/isync-1.3.5: Data disclosure (CVE-2021-20247)
Summary: <net-mail/isync-1.3.5: Data disclosure (CVE-2021-20247)
Status: RESOLVED FIXED
Alias: CVE-2021-20247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-20 16:22 UTC by Thomas Deutschmann (RETIRED)
Modified: 2022-08-10 22:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-20 16:22:14 UTC 
Incoming details.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-22 17:29:18 UTC 
Please bump to 1.3.5/1.4.1.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-22 17:29:28 UTC 
description:

mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. gory details follow below.
the attack vector is rather narrow, but the effects can be disastrous.
the vulnerability has been there "forever", though it wasn't of much concern prior to 1.3 used with a specific configuration.

mitigation:

upgrade to the freshly released v1.3.5 or v1.4.1 available from https://sourceforge.net/projects/isync/files/isync/ , or apply one of the attached patches (patches for earlier versions can be produced easily, should anyone care).
Comment 3 Larry the Git Cow gentoo-dev 2021-02-28 20:58:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c54c21e1cba5803311071b99f48f2e1deeca516

commit 4c54c21e1cba5803311071b99f48f2e1deeca516
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-02-28 20:57:37 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-02-28 20:58:20 +0000

    net-mail/isync: Version bump 1.3.5
    
    Bug: https://bugs.gentoo.org/771738
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 net-mail/isync/Manifest           |  1 +
 net-mail/isync/isync-1.3.5.ebuild | 45 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-11 06:58:33 UTC 
ping
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 21:30:54 UTC 
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 21:33:11 UTC 
x86 done

all arches done
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 22:04:22 UTC 
Please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-07-24 06:03:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5497aa5dad80f20e47bf79d97c9503c6ef303e9

commit a5497aa5dad80f20e47bf79d97c9503c6ef303e9
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-24 06:02:45 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-24 06:03:14 +0000

    net-mail/isync: drop 1.3.1, 1.3.3, 1.3.5
    
    Bug: https://bugs.gentoo.org/771738
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-mail/isync/Manifest           |  3 ---
 net-mail/isync/isync-1.3.1.ebuild | 41 --------------------------------------
 net-mail/isync/isync-1.3.3.ebuild | 42 ---------------------------------------
 net-mail/isync/isync-1.3.5.ebuild | 42 ---------------------------------------
 4 files changed, 128 deletions(-)
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2021-07-25 21:23:14 UTC 
Cleanup done
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:23:57 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:32:23 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:40:16 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:48:26 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:04:23 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:12:40 UTC 
Package list is empty or all packages have requested keywords.
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:50:00 UTC 
Request filed
Comment 17 Larry the Git Cow gentoo-dev 2022-08-10 22:33:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38

commit d94e53c09885e53ce1daaa7089692d4054a2cb38
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:30:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:14 +0000

    [ GLSA 202208-15 ] isync: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/771738
    Bug: https://bugs.gentoo.org/794772
    Bug: https://bugs.gentoo.org/826902
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:37:11 UTC 
GLSA released, all done!