Bug 909959 (CVE-2013-0289)

Summary: CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cfergeau, ovasik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: isync 1.0.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-13 06:51:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 913221, 913222    
Bug Blocks:    
Attachments:
Description Flags
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue
none
Proposed isync upstream patch (against the master branch) to correct this issue none

Description Jan Lieskovsky 2013-02-11 14:25:43 UTC 
A security flaw was found in the way isync, a command line application to synchronize IMAP4 and Maildir mailboxes, (previously) performed server's SSL x509.v3 certificate validation, when performing IMAP protocol based synchronization (server's hostname was previously not compared for match the CN field of the certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.
Comment 2 Jan Lieskovsky 2013-02-11 14:32:23 UTC 
Created attachment 696105 [details]
Proposed isync upstream patch (against the 1.0.x branch) to correct this issue
Comment 3 Jan Lieskovsky 2013-02-11 14:33:03 UTC 
Created attachment 696107 [details]
Proposed isync upstream patch (against the master branch) to correct this issue
Comment 5 Jan Lieskovsky 2013-02-15 12:07:33 UTC 
The CVE identifier of CVE-2013-0289 has been assigned to this issue.
Comment 6 Vincent Danen 2013-02-20 16:40:29 UTC 
This is now public:

http://www.openwall.com/lists/oss-security/2013/02/20/9

And fixed in version 1.0.6 via this commit to git:

http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb
Comment 7 Vincent Danen 2013-02-20 16:42:17 UTC 
Created isync tracking bugs for this issue

Affects: fedora-all [bug 913221]
Affects: epel-all [bug 913222]
Comment 8 Christophe Fergeau 2019-05-13 06:50:49 UTC 
The patch is present isync 1.1.0, all fedora versions have an isync version newer than that, this bug can be closed.
Comment 9 Christophe Fergeau 2019-05-13 06:51:55 UTC 
epel has a much newer version these days (1.2.0) so this is fixed already.