Bug 1193376 - (CVE-2021-3657) VUL-1: CVE-2021-3657: multiple buffer overflows in isync/mbsync
(CVE-2021-3657)
VUL-1: CVE-2021-3657: multiple buffer overflows in isync/mbsync
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Tomas Cech
Security Team bot
https://smash.suse.de/issue/316218/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-03 14:59 UTC by Carlos López
Modified: 2021-12-03 15:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patch for v.1.3 (5.36 KB, patch)
2021-12-03 14:59 UTC, Carlos López
Details | Diff
Patch for v1.4 (7.02 KB, patch)
2021-12-03 15:00 UTC, Carlos López
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-03 14:59:34 UTC
Created attachment 854290 [details]
Patch for v.1.3

CVE-2021-3657

oss-sec
mailing list archives

  By Date  
     
  By Thread  

CVE-2021-3657: multiple buffer overflows in isync/mbsync

From: Oswald Buddenhagen 
Date: Fri, 3 Dec 2021 12:24:32 +0100

description:

A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate
handling of extremely large (>=2GiB) IMAP literals, malicious or
compromised IMAP servers, and hypothetically even external email
senders, could cause several different buffer overflows, which could
conceivably be exploited for remote code execution.

mitigation:

upgrade to the freshly released v1.4.4 available from 
https://sourceforge.net/projects/isync/files/isync/ , or apply the 
matching attached patch. note that while a patch for v1.3.x is provided, 
no upstream release will be made any more.


details:

i'm not sure it's actually possible to pull off RCE with these. a
non-server attacker would be additionally impaired by message size
limitations and being unable to predict the exact size of the headers
stored in the box, so they would likely need an account on the same
liberally configured system, apart from knowing to target mbsync.
Attachment:
CVE-2021-3657-buffer-overflows-on-big-1.4.patch
Description: 
Attachment:
CVE-2021-3657-buffer-overflows-on-big-1.3.patch
Description: 

  By Date  
     
  By Thread  

Current thread:

CVE-2021-3657: multiple buffer overflows in isync/mbsync Oswald Buddenhagen (Dec 03)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3657
http://seclists.org/oss-sec/2021/q4/142
Comment 1 Carlos López 2021-12-03 15:00:13 UTC
Created attachment 854291 [details]
Patch for v1.4
Comment 2 Carlos López 2021-12-03 15:01:15 UTC
Affected codestreams:
 - openSUSE:Backports:SLE-15-SP2:Update
 - openSUSE:Backports:SLE-15-SP3:Update
 - openSUSE:Backports:SLE-15-SP4:Update
 - openSUSE:Leap:15.2:Update
 - openSUSE:Factory