CVE-2021-3578: possible remote code execution in isync/mbsync

[Oswald Buddenhagen <oswald.buddenhagen () gmx de>]

description:

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked
pointer cast allows a malicious or compromised server to write an
arbitrary integer value past the end of a heap-allocated structure by
issuing an unexpected APPENDUID response. This could be plausibly
exploited for remote code execution on the client.

mitigation:

upgrade to the freshly released v1.3.6 or v1.4.2 available from 
https://sourceforge.net/projects/isync/files/isync/ , or apply the 
matching attached patch.

credit:

This problem was found by Lukas Braun <koomi () moshbit net> using a
fuzzer.

Attachment: fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
Description:

Attachment: fix-handling-of-unexpected-APPENDUID-response-code--1.4.patch
Description: