[Pkg-netatalk-devel] Bug#1036740: closed by Markus Koschany <apo at debian.org> (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

Salvatore Bonaccorso carnil at debian.org
Sun Jun 4 06:39:12 BST 2023


Hi Daniel,

On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote:
> > ---------- Forwarded message ----------
> > From: Markus Koschany <apo at debian.org>
> > To: Daniel Markstedt <markstedt at gmail.com>, 1036740-done at bugs.debian.org
> > Cc: debian-lts at lists.debian.org
> > Bcc:
> > Date: Thu, 01 Jun 2023 19:54:55 +0200
> > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
> > Version:  3.1.12~ds-3+deb10u2
> >
> > Thanks for your report and the detailed replies. I could reproduce the problem
> > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
> > applying a new patch to fix it, the AppleDouble v2 format seems to work as
> > intended again. I'm going to close this bug report now.
> >
> > Best,
> >
> > Markus
> >
> 
> Thank you Markus for narrowing down the problem and fixing it!
> I can confirm that appledouble=v2 works in my environment now too.
> 
> So this covers the outstanding CVEs for oldstable now;
> are you already preparing to port the same patchset to stable as well?
> 
> I can file another bug report if it helps.

No other reports needed, since all were reported. For the bookworm
release they would be fixed, for the current stable (bullseye) we
explicitly asked the maintainer trough
https://bugs.debian.org/1025011#15 . So we are waiting for the
netatalk maintainers to propose an update here for bullseye-security.

Regards,
Salvatore



More information about the pkg-netatalk-devel mailing list