Bug ID 1186939
Summary VUL-1: CVE-2021-3578: isync: possible remote code execution in isync/mbsync
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.2
Hardware Other
URL https://smash.suse.de/issue/301322/
OS Other
Status NEW
Severity Minor
Priority P5 - None
Component Other
Assignee sleep_walker@opensuse.org
Reporter gianluca.gabrielli@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked
pointer cast allows a malicious or compromised server to write an
arbitrary integer value past the end of a heap-allocated structure by
issuing an unexpected APPENDUID response. This could be plausibly
exploited for remote code execution on the client.

mitigation:

upgrade to the freshly released v1.3.6 or v1.4.2 available from 
https://sourceforge.net/projects/isync/files/isync/ , or apply the 
matching attached patch.


credit:

This problem was found by Lukas Braun  using a
fuzzer.









������By Date������

������By Thread������

Current thread:

CVE-2021-3578: possible remote code execution in isync/mbsync Oswald
Buddenhagen (Jun 07)








References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3578
http://seclists.org/oss-sec/2021/q2/185

You are receiving this mail because: