Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 826902 (CVE-2021-3657, CVE-2021-44143) - <net-mail/isync-1.4.4: multiple vulnerabilities (CVE-2021-44143)
Summary: <net-mail/isync-1.4.4: multiple vulnerabilities (CVE-2021-44143)
Status: RESOLVED FIXED
Alias: CVE-2021-3657, CVE-2021-44143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.debian.org/cgi-bin/bugre...
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 828470
Blocks:
  Show dependency tree
 
Reported: 2021-11-23 15:08 UTC by John Helmert III
Modified: 2022-08-10 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-23 15:08:52 UTC
CVE-2021-44143:

A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution.

Only useful reference is the Debian bug, not sure if we're affected or
if there's a fixed version. MITRE's references to isync tags and
commits don't seem to lead to a fix.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-03 13:03:53 UTC
CVE-2021-3657 (https://www.openwall.com/lists/oss-security/2021/12/03/1)

"A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate
handling of extremely large (>=2GiB) IMAP literals, malicious or
compromised IMAP servers, and hypothetically even external email
senders, could cause several different buffer overflows, which could
conceivably be exploited for remote code execution."

CVE-2021-44143 (https://www.openwall.com/lists/oss-security/2021/12/03/2):

A flaw was found in mbsync versions 1.4.0 through 1.4.3. Due to an
unchecked condition, a malicious or compromised IMAP server could use
a crafted mail message that lacks headers (i.e., one that
starts with an empty line) to provoke a heap overflow, which could
conceivably be exploited for remote code execution.

Please bump to 1.4.4.
Comment 2 Larry the Git Cow gentoo-dev 2021-12-06 18:38:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd

commit 1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-06 18:38:14 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-06 18:38:14 +0000

    net-mail/isync: drop 1.4.2
    
    Bug: https://bugs.gentoo.org/826902
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/isync/Manifest           |  1 -
 net-mail/isync/isync-1.4.2.ebuild | 43 ---------------------------------------
 2 files changed, 44 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f1c117aa91d3f249a5e2867a5edb500e2b6f705

commit 9f1c117aa91d3f249a5e2867a5edb500e2b6f705
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-06 18:38:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-06 18:38:03 +0000

    net-mail/isync: add 1.4.4
    
    Bug: https://bugs.gentoo.org/826902
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/isync/Manifest           |  1 +
 net-mail/isync/isync-1.4.4.ebuild | 43 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-06 18:39:20 UTC
From the first link:
"matching attached patch. note that while a patch for v1.3.x is provided, 
no upstream release will be made any more."

Let's stable then.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-08 06:18:29 UTC
Please cleanup, thanks!
Comment 5 Larry the Git Cow gentoo-dev 2022-02-28 23:17:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44b686dca757cc44b248a37f669b9622a7501dea

commit 44b686dca757cc44b248a37f669b9622a7501dea
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-02-28 23:16:49 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-02-28 23:17:10 +0000

    net-mail/isync: Remove old
    
    Bug: https://bugs.gentoo.org/826902
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 net-mail/isync/Manifest           |  1 -
 net-mail/isync/isync-1.3.6.ebuild | 42 ---------------------------------------
 2 files changed, 43 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:49:41 UTC
Request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-08-10 22:33:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38

commit d94e53c09885e53ce1daaa7089692d4054a2cb38
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:30:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:14 +0000

    [ GLSA 202208-15 ] isync: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/771738
    Bug: https://bugs.gentoo.org/794772
    Bug: https://bugs.gentoo.org/826902
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:37:28 UTC
GLSA released, all done!