Quoting Salvatore Bonaccorso (2023-06-04 07:39:12) > Hi Daniel, > > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > > ---------- Forwarded message ---------- > > > From: Markus Koschany <a...@debian.org> > > > To: Daniel Markstedt <markst...@gmail.com>, 1036740-d...@bugs.debian.org > > > Cc: debian-...@lists.debian.org > > > Bcc: > > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault > > > with valid metadata > > > Version: 3.1.12~ds-3+deb10u2 > > > > > > Thanks for your report and the detailed replies. I could reproduce the > > > problem > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > > > applying a new patch to fix it, the AppleDouble v2 format seems to work as > > > intended again. I'm going to close this bug report now. > > > > > > Best, > > > > > > Markus > > > > > > > Thank you Markus for narrowing down the problem and fixing it! > > I can confirm that appledouble=v2 works in my environment now too. > > > > So this covers the outstanding CVEs for oldstable now; > > are you already preparing to port the same patchset to stable as well? > > > > I can file another bug report if it helps. > > No other reports needed, since all were reported. For the bookworm > release they would be fixed, for the current stable (bullseye) we > explicitly asked the maintainer trough > https://bugs.debian.org/1025011#15 . So we are waiting for the > netatalk maintainers to propose an update here for bullseye-security.
@Salvatore: In addition to being upstream developer, Daniel has also joined the Debian packaging team. @Daniel: Debian issue tracker - debbugs - can be confusing from an upstream POV, due to it being distro-centric: Some issues are not about upstream code but "meta" about distro organization - e.g. bug#1025011 which is not about netatalk but about *attention* for netatalk and therefore open despite netatalk itself has no bugs. Also, issues tied to upstream projects is tracked across multiple Debian releases, so can be both fixed and unfixed depending on release scope. What is double confusing here is that no bugreport exists in Debian for tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral damage in fixing that CVE for oldstable, and bug#1025011 is about meta-discussion only indirectly involving that same CVE. All in all: Yes, please file a bugreport about CVE-2022-23123 - and then tag it as closed with package release 3.1.15~ds-1, which makes that bugreport "fixed" for the scope of Debian testing and unstable, but unfixed for the scope of Debian stabel. Hope that helps. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
