[Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Salvatore Bonaccorso
carnil at debian.org
Thu May 25 07:02:36 BST 2023
Control: forwarded -1 https://github.com/Netatalk/netatalk/pull/174
Hi Daniel,
On Wed, May 24, 2023 at 10:50:41PM -0700, Daniel Markstedt wrote:
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u1
> X-Debbugs-Cc: team at security.debian.org
>
> The code that addressed CVE-2022-23123 introduced appledouble metadata
> validity assertions that were too strict and caused instant segfaults
> with valid metadata for a large number of users.
>
> These two commits in upstream addressed this:
> https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98
>
> For the full discussion see this PR:
> https://github.com/Netatalk/netatalk/pull/174
>
> I would recommend accepting these patches into oldstable, as well as
> stable once the CVE patches get ported there too.
Thanks for the report. Forwarding it as well to the debian-lts list
(FTR if you use reportbug, it chooses the right X-Debbugs-CC as well
for such regression reports, if they match some criteria).
Regards,
Salvatore
More information about the pkg-netatalk-devel
mailing list