CVE-2021-44143: A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution. Only useful reference is the Debian bug, not sure if we're affected or if there's a fixed version. MITRE's references to isync tags and commits don't seem to lead to a fix.
CVE-2021-3657 (https://www.openwall.com/lists/oss-security/2021/12/03/1) "A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email senders, could cause several different buffer overflows, which could conceivably be exploited for remote code execution." CVE-2021-44143 (https://www.openwall.com/lists/oss-security/2021/12/03/2): A flaw was found in mbsync versions 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution. Please bump to 1.4.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd commit 1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-06 18:38:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-06 18:38:14 +0000 net-mail/isync: drop 1.4.2 Bug: https://bugs.gentoo.org/826902 Signed-off-by: Sam James <sam@gentoo.org> net-mail/isync/Manifest | 1 - net-mail/isync/isync-1.4.2.ebuild | 43 --------------------------------------- 2 files changed, 44 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f1c117aa91d3f249a5e2867a5edb500e2b6f705 commit 9f1c117aa91d3f249a5e2867a5edb500e2b6f705 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-06 18:38:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-06 18:38:03 +0000 net-mail/isync: add 1.4.4 Bug: https://bugs.gentoo.org/826902 Signed-off-by: Sam James <sam@gentoo.org> net-mail/isync/Manifest | 1 + net-mail/isync/isync-1.4.4.ebuild | 43 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+)
From the first link: "matching attached patch. note that while a patch for v1.3.x is provided, no upstream release will be made any more." Let's stable then.
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44b686dca757cc44b248a37f669b9622a7501dea commit 44b686dca757cc44b248a37f669b9622a7501dea Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-02-28 23:16:49 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-02-28 23:17:10 +0000 net-mail/isync: Remove old Bug: https://bugs.gentoo.org/826902 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> net-mail/isync/Manifest | 1 - net-mail/isync/isync-1.3.6.ebuild | 42 --------------------------------------- 2 files changed, 43 deletions(-)
Request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38 commit d94e53c09885e53ce1daaa7089692d4054a2cb38 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-10 22:30:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-10 22:33:14 +0000 [ GLSA 202208-15 ] isync: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/771738 Bug: https://bugs.gentoo.org/794772 Bug: https://bugs.gentoo.org/826902 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA released, all done!
