[Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Daniel Markstedt
markstedt at gmail.com
Thu May 25 06:50:41 BST 2023
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: team at security.debian.org
The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.
These two commits in upstream addressed this:
https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98
For the full discussion see this PR:
https://github.com/Netatalk/netatalk/pull/174
I would recommend accepting these patches into oldstable, as well as
stable once the CVE patches get ported there too.
More information about the pkg-netatalk-devel
mailing list