On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard <jo...@jones.dk> wrote: > > Quoting Salvatore Bonaccorso (2023-06-04 07:39:12) > > Hi Daniel, > > > > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > > > ---------- Forwarded message ---------- > > > > From: Markus Koschany <a...@debian.org> > > > > To: Daniel Markstedt <markst...@gmail.com>, 1036740-d...@bugs.debian.org > > > > Cc: debian-...@lists.debian.org > > > > Bcc: > > > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault > > > > with valid metadata > > > > Version: 3.1.12~ds-3+deb10u2 > > > > > > > > Thanks for your report and the detailed replies. I could reproduce the > > > > problem > > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. > > > > After > > > > applying a new patch to fix it, the AppleDouble v2 format seems to work > > > > as > > > > intended again. I'm going to close this bug report now. > > > > > > > > Best, > > > > > > > > Markus > > > > > > > > > > Thank you Markus for narrowing down the problem and fixing it! > > > I can confirm that appledouble=v2 works in my environment now too. > > > > > > So this covers the outstanding CVEs for oldstable now; > > > are you already preparing to port the same patchset to stable as well? > > > > > > I can file another bug report if it helps. > > > > No other reports needed, since all were reported. For the bookworm > > release they would be fixed, for the current stable (bullseye) we > > explicitly asked the maintainer trough > > https://bugs.debian.org/1025011#15 . So we are waiting for the > > netatalk maintainers to propose an update here for bullseye-security. > > @Salvatore: In addition to being upstream developer, Daniel has also > joined the Debian packaging team. >
Salvatore, I left a comment over at that bug. It should be easy to accomplish if I can learn how to contribute patches to security releases. > @Daniel: Debian issue tracker - debbugs - can be confusing from an > upstream POV, due to it being distro-centric: Some issues are not about > upstream code but "meta" about distro organization - e.g. bug#1025011 > which is not about netatalk but about *attention* for netatalk and > therefore open despite netatalk itself has no bugs. Also, issues tied to > upstream projects is tracked across multiple Debian releases, so can be > both fixed and unfixed depending on release scope. > > What is double confusing here is that no bugreport exists in Debian for > tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral > damage in fixing that CVE for oldstable, and bug#1025011 is about > meta-discussion only indirectly involving that same CVE. > > All in all: Yes, please file a bugreport about CVE-2022-23123 - and then > tag it as closed with package release 3.1.15~ds-1, which makes that > bugreport "fixed" for the scope of Debian testing and unstable, but > unfixed for the scope of Debian stabel. > > > Hope that helps. > > - Jonas > Jonas, definitely a helpful summary, thanks! However, I assume you mean CVE-2022-45188 for bookworm regarding filing a bug to resolve an already resolved CVE? This one was fixed with 3.1.15 but due to a typo in the commit message was left as unresolved, if I'm not mistaken. As far as I can tell, CVE-2022-23123 is already properly flagged as resolved both for bookworm and sid. Please let me know if there's something I overlooked here! Best, Daniel
