http://bugzilla.opensuse.org/show_bug.cgi?id=1186939 Bug ID: 1186939 Summary: VUL-1: CVE-2021-3578: isync: possible remote code execution in isync/mbsync Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/301322/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Other Assignee: sleep_walker@opensuse.org Reporter: gianluca.gabrielli@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client. mitigation: upgrade to the freshly released v1.3.6 or v1.4.2 available from https://sourceforge.net/projects/isync/files/isync/ , or apply the matching attached patch. credit: This problem was found by Lukas Braun using a fuzzer. ��By Date�� ��By Thread�� Current thread: CVE-2021-3578: possible remote code execution in isync/mbsync Oswald Buddenhagen (Jun 07) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3578 http://seclists.org/oss-sec/2021/q2/185 -- You are receiving this mail because: You are on the CC list for the bug.