Summary: | <net-mail/isync-1.4.4: multiple vulnerabilities (CVE-2021-44143) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gyakovlev |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999804 | ||
Whiteboard: | B2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 828470 | ||
Bug Blocks: |
Description
John Helmert III
2021-11-23 15:08:52 UTC
CVE-2021-3657 (https://www.openwall.com/lists/oss-security/2021/12/03/1) "A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email senders, could cause several different buffer overflows, which could conceivably be exploited for remote code execution." CVE-2021-44143 (https://www.openwall.com/lists/oss-security/2021/12/03/2): A flaw was found in mbsync versions 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution. Please bump to 1.4.4. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd commit 1396fdcf8db5a47da2a6da801c0a746fbbdf7ddd Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-06 18:38:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-06 18:38:14 +0000 net-mail/isync: drop 1.4.2 Bug: https://bugs.gentoo.org/826902 Signed-off-by: Sam James <sam@gentoo.org> net-mail/isync/Manifest | 1 - net-mail/isync/isync-1.4.2.ebuild | 43 --------------------------------------- 2 files changed, 44 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f1c117aa91d3f249a5e2867a5edb500e2b6f705 commit 9f1c117aa91d3f249a5e2867a5edb500e2b6f705 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-06 18:38:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-06 18:38:03 +0000 net-mail/isync: add 1.4.4 Bug: https://bugs.gentoo.org/826902 Signed-off-by: Sam James <sam@gentoo.org> net-mail/isync/Manifest | 1 + net-mail/isync/isync-1.4.4.ebuild | 43 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) From the first link: "matching attached patch. note that while a patch for v1.3.x is provided, no upstream release will be made any more." Let's stable then. Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44b686dca757cc44b248a37f669b9622a7501dea commit 44b686dca757cc44b248a37f669b9622a7501dea Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-02-28 23:16:49 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-02-28 23:17:10 +0000 net-mail/isync: Remove old Bug: https://bugs.gentoo.org/826902 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> net-mail/isync/Manifest | 1 - net-mail/isync/isync-1.3.6.ebuild | 42 --------------------------------------- 2 files changed, 43 deletions(-) Request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d94e53c09885e53ce1daaa7089692d4054a2cb38 commit d94e53c09885e53ce1daaa7089692d4054a2cb38 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-10 22:30:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-10 22:33:14 +0000 [ GLSA 202208-15 ] isync: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/771738 Bug: https://bugs.gentoo.org/794772 Bug: https://bugs.gentoo.org/826902 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-15.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) GLSA released, all done! |