Bug#1036740: marked as done (Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

Thu, 01 Jun 2023 10:57:23 -0700 

Your message dated Thu, 01 Jun 2023 19:54:55 +0200
with message-id <f952c8229f0d1414781c82b7629c6b47042532ae.ca...@debian.org>
and subject line Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault 
with valid metadata
has caused the Debian Bug report #1036740,
regarding Fix for CVE-2022-23123 causes afpd segfault with valid metadata
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: t...@security.debian.org

The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.

These two commits in upstream addressed this:
https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98

For the full discussion see this PR:
https://github.com/Netatalk/netatalk/pull/174

I would recommend accepting these patches into oldstable, as well as
stable once the CVE patches get ported there too.

--- End Message ---
--- Begin Message --- 
Version:  3.1.12~ds-3+deb10u2

Thanks for your report and the detailed replies. I could reproduce the problem
and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
applying a new patch to fix it, the AppleDouble v2 format seems to work as
intended again. I'm going to close this bug report now.

Best,

Markus

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---

Reply via email to