CVE-2021-3578: possible remote code execution in isync/mbsync
mailbox synchronizer
Brought to you by:
ossi
Menu
▾
▴
CVE-2021-3578: possible remote code execution in isync/mbsync
|
From: Oswald B. <osw...@gm...> - 2021-06-07 11:46:57
|
description: A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client. mitigation: upgrade to the freshly released v1.3.6 or v1.4.2 available from https://sourceforge.net/projects/isync/files/isync/ , or apply the matching attached patch. credit: This problem was found by Lukas Braun <ko...@mo...> using a fuzzer. |
