[Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

Salvatore Bonaccorso carnil at debian.org
Thu May 25 07:02:36 BST 2023


Control: forwarded -1 https://github.com/Netatalk/netatalk/pull/174

Hi Daniel,

On Wed, May 24, 2023 at 10:50:41PM -0700, Daniel Markstedt wrote:
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u1
> X-Debbugs-Cc: team at security.debian.org
> 
> The code that addressed CVE-2022-23123 introduced appledouble metadata
> validity assertions that were too strict and caused instant segfaults
> with valid metadata for a large number of users.
> 
> These two commits in upstream addressed this:
> https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98
> 
> For the full discussion see this PR:
> https://github.com/Netatalk/netatalk/pull/174
> 
> I would recommend accepting these patches into oldstable, as well as
> stable once the CVE patches get ported there too.

Thanks for the report. Forwarding it as well to the debian-lts list
(FTR if you use reportbug, it chooses the right X-Debbugs-CC as well
for such regression reports, if they match some criteria).

Regards,
Salvatore



More information about the pkg-netatalk-devel mailing list