CVE-2021-44143

Name
CVE-2021-44143
Description
A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://sourceforge.net/p/isync/isync/commit_browser
MISC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999804
MISC https://sourceforge.net/p/isync/isync/ref/master/tags/
Mailing List http://www.openwall.com/lists/oss-security/2021/12/03/2
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYZ2GNB4ZO2T27D2XNUWMCS3THZYSJQU/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCBSY7OZ57XNC6ZYXF6WU5KBSWITZVDX/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:isync_project:isync:*:*:*:*:*:*:*:* isync >= 1.4.0 <= 1.4.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
isync 3.14-community 1.4.2-r0 Stuart Cardall <developer@it-offshore.co.uk> possibly vulnerable
isync 3.15-community 1.4.4-r0 Stuart Cardall <developer@it-offshore.co.uk> fixed
isync 3.16-community 1.4.4-r0 Stuart Cardall <developer@it-offshore.co.uk> fixed