CVE-2021-3578

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

References

Affected packages

Debian:11 / isync

Package

Name: isync
Purl: pkg:deb/debian/isync?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0-2.2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / isync

Package

Name: isync
Purl: pkg:deb/debian/isync?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0-2.2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / isync

Package

Name: isync
Purl: pkg:deb/debian/isync?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0-2.2

Ecosystem specific

{
    "urgency": "not yet assigned"
}