[Pkg-netatalk-devel] Bug#1036740: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

Daniel Markstedt markstedt at gmail.com
Fri May 26 03:22:26 BST 2023


On Thu, May 25, 2023 at 3:39 AM Markus Koschany <apo at debian.org> wrote:
>
> Hello Daniel,
>
> Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso:
> > >
> > > These two commits in upstream addressed this:
> > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98
>
> Both patches have been backported to Buster. You can find them as CVE-2022-
> 23123_part3.patch and CVE-2022-23123_part4.patch.
>
> Did we miss something else?
>
> Regards,
>
> Markus

Salvatore, Markus,

Thank you very much for taking swift action on this!
Please forgive my ignorance here, but are these patches active already
if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster?
Or do they have to be picked up by some build process that hasn't run yet?

I'm asking because I ran a few tests now and while EA metadata works,
the appledouble v2 metadata functionality is definitely broken, even
when you create a new shared volume from scratch.

dmark at buster:~$ apt show netatalk
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
...
May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path,
ad, pst) failed: Input/output error
May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23
at 10.36.39 AM.png): bad resource fork
May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, len: 8
May 25 18:51:08 buster afpd[7415]:
ad_header_read(/home/dmark/afp-data): malformed AppleDouble

So either more patches have to be cherry-picked or I need to be patient. :)



More information about the pkg-netatalk-devel mailing list