CVE-2021-3578: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-3578) was discovered in mbsync (part of isync) before versions 1.3.6 and 1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. The vulnerability was discovered by Lukas Braun using a fuzzer and was publicly disclosed on June 3, 2021 (CVE Details, OSS Security).

The vulnerability stems from an unchecked pointer cast in the polkitsystembusnamegetcredssync function. When a malicious server issues an unexpected APPENDUID response, it can trigger a heap-allocated structure overflow. The function returns TRUE even when an error occurs, leading to a mishandling of the error value in specific code paths. This vulnerability affects systems running polkit version 0.113 or later, including popular distributions such as RHEL 8 and Ubuntu 20.04 (OSS Security).

This vulnerability could be exploited for remote code execution on the client system. The severity of this issue is particularly high as it allows an unprivileged local attacker to gain root privileges on the affected system (OSS Security).

Users are advised to upgrade to isync version 1.3.6 or 1.4.2 or later, which contain the fix for this vulnerability. For those unable to upgrade immediately, patches are available for different versions. The vulnerability has been addressed in various distributions through their respective security updates, including Fedora, Debian, and RHEL (Fedora Update, Debian LTS).