Incoming details.
Please bump to 1.3.5/1.4.1.
description: mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. gory details follow below. the attack vector is rather narrow, but the effects can be disastrous. the vulnerability has been there "forever", though it wasn't of much concern prior to 1.3 used with a specific configuration. mitigation: upgrade to the freshly released v1.3.5 or v1.4.1 available from https://sourceforge.net/projects/isync/files/isync/ , or apply one of the attached patches (patches for earlier versions can be produced easily, should anyone care).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c54c21e1cba5803311071b99f48f2e1deeca516 commit 4c54c21e1cba5803311071b99f48f2e1deeca516 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-02-28 20:57:37 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-02-28 20:58:20 +0000 net-mail/isync: Version bump 1.3.5 Bug: https://bugs.gentoo.org/771738 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> net-mail/isync/Manifest | 1 + net-mail/isync/isync-1.3.5.ebuild | 45 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+)
ping
amd64 done
x86 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5497aa5dad80f20e47bf79d97c9503c6ef303e9 commit a5497aa5dad80f20e47bf79d97c9503c6ef303e9 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-24 06:02:45 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-24 06:03:14 +0000 net-mail/isync: drop 1.3.1, 1.3.3, 1.3.5 Bug: https://bugs.gentoo.org/771738 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> net-mail/isync/Manifest | 3 --- net-mail/isync/isync-1.3.1.ebuild | 41 -------------------------------------- net-mail/isync/isync-1.3.3.ebuild | 42 --------------------------------------- net-mail/isync/isync-1.3.5.ebuild | 42 --------------------------------------- 4 files changed, 128 deletions(-)
Cleanup done
Package list is empty or all packages have requested keywords.
Request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38 commit d94e53c09885e53ce1daaa7089692d4054a2cb38 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-10 22:30:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-10 22:33:14 +0000 [ GLSA 202208-15 ] isync: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/771738 Bug: https://bugs.gentoo.org/794772 Bug: https://bugs.gentoo.org/826902 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA released, all done!