Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 794772 (CVE-2021-3578)

Summary: <net-mail/isync-{1.3.6, 1.4.2}: possible remote code execution (CVE-2021-3578)
Product: Gentoo Security Reporter: Kenton Groombridge <concord>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gyakovlev, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2021/06/07/1
Whiteboard: B2 [glsa+]
Package list:
net-mail/isync-1.3.6
 Runtime testing required: ---

Description Kenton Groombridge gentoo-dev 2021-06-07 15:09:36 UTC 
Subject: CVE-2021-3578: possible remote code execution in isync/mbsync

description:

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked
pointer cast allows a malicious or compromised server to write an
arbitrary integer value past the end of a heap-allocated structure by
issuing an unexpected APPENDUID response. This could be plausibly
exploited for remote code execution on the client.

mitigation:

upgrade to the freshly released v1.3.6 or v1.4.2 available from 
https://sourceforge.net/projects/isync/files/isync/ , or apply the 
matching attached patch.

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2021-06-07 16:04:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f35a7a7604140062a2edba6efd2c94ab54866120

commit f35a7a7604140062a2edba6efd2c94ab54866120
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-07 06:56:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-07 07:13:56 +0000

    net-mail/isync: add 1.4.2
    
    Bug: https://bugs.gentoo.org/794772
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/isync/Manifest           |  1 +
 net-mail/isync/isync-1.4.2.ebuild | 43 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=953ae581d25b29bc8fbf8f7c8c1139f67a74ceef

commit 953ae581d25b29bc8fbf8f7c8c1139f67a74ceef
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-07 06:56:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-07 07:13:55 +0000

    net-mail/isync: add 1.3.6
    
    Bug: https://bugs.gentoo.org/794772
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/isync/Manifest           |  1 +
 net-mail/isync/isync-1.3.6.ebuild | 42 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 23:09:11 UTC 
x86 done
Comment 3 Agostino Sarubbo gentoo-dev 2021-06-08 06:58:43 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Larry the Git Cow gentoo-dev 2021-07-24 06:19:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb486917023ba6db5019f39b73db1bc9c5a2f67d

commit cb486917023ba6db5019f39b73db1bc9c5a2f67d
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-24 06:19:24 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-24 06:19:24 +0000

    net-mail/isync: drop 1.4.1
    
    Bug: https://bugs.gentoo.org/794772
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-mail/isync/Manifest           |  1 -
 net-mail/isync/isync-1.4.1.ebuild | 43 ---------------------------------------
 2 files changed, 44 deletions(-)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2021-07-25 21:22:44 UTC 
Nothing to do here anymore
Comment 6 NATTkA bot gentoo-dev 2021-12-08 09:20:44 UTC 
Keywords are not fully specified and arches are not CC-ed for the following packages:

- =net-mail/isync-1.3.6
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:49:52 UTC 
Request filed
Comment 8 Larry the Git Cow gentoo-dev 2022-08-10 22:33:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38

commit d94e53c09885e53ce1daaa7089692d4054a2cb38
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:30:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:14 +0000

    [ GLSA 202208-15 ] isync: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/771738
    Bug: https://bugs.gentoo.org/794772
    Bug: https://bugs.gentoo.org/826902
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:37:20 UTC 
GLSA released, all done!