[Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

Daniel Markstedt markstedt at gmail.com
Thu May 25 06:50:41 BST 2023


Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: team at security.debian.org

The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.

These two commits in upstream addressed this:
https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98

For the full discussion see this PR:
https://github.com/Netatalk/netatalk/pull/174

I would recommend accepting these patches into oldstable, as well as
stable once the CVE patches get ported there too.



More information about the pkg-netatalk-devel mailing list