CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing

Debian Bug report logs - #1053545
CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Markstedt <daniel@mindani.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing

Date: Thu, 05 Oct 2023 22:49:37 +0000

Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-devel@alioth-lists.debian.net, Debian Security Team <team@security.debian.org>

Under very specific circumstances, netatalk can be tricked into copying a symlink or other malicious file from the shared volume into a restricted place in the file system, potentially achieving remote code execution. All versions of netatalk from 3.1.0 to 3.1.17 are vulnerable.

The CVE-2022-22995 advisory was published over a year ago, but the details of the exploit weren't disclosed at the time:

https://nvd.nist.gov/vuln/detail/cve-2022-22995

It was only recently that we in the upstream team were able to get in touch with original security researchers to gain enough insights to formulate a patch and publish our own security advisory:

https://netatalk.sourceforge.io/CVE-2022-22995.php

Message #12 received at 1053545-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1053545-close@bugs.debian.org

Subject: Bug#1053545: fixed in netatalk 3.1.18~ds-1

Date: Fri, 06 Oct 2023 05:04:14 +0000

Source: netatalk
Source-Version: 3.1.18~ds-1
Done: Jonas Smedegaard <dr@jones.dk>

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053545@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2023 06:40:15 +0200
Source: netatalk
Binary: netatalk netatalk-dbgsym
Architecture: source amd64
Version: 3.1.18~ds-1
Distribution: unstable
Urgency: high
Maintainer: Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
 netatalk   - Apple Filing Protocol service
Closes: 1053545
Changes:
 netatalk (3.1.18~ds-1) unstable; urgency=high
 .
   [ upstream ]
   * new release
     + CVE-2022-22995: Harden create_appledesktop_folder()
       closes: bug#1053545
 .
   [ Jonas Smedegaard ]
   * drop patch 001, obsoleted by upstream changes
   * set urgency=high due to security-related bugfix
Checksums-Sha1:
 e717b859e0a9d0d412776233de54ce763891acf7 2486 netatalk_3.1.18~ds-1.dsc
 ca5f3df500078873128bb1df47fa8638e324412a 841336 netatalk_3.1.18~ds.orig.tar.xz
 e0884bd2beb731c453df77ec335aae3a99541ba5 39324 netatalk_3.1.18~ds-1.debian.tar.xz
 3a84ba98ce1a45064e8c84d84fd643d778b69504 1158388 netatalk-dbgsym_3.1.18~ds-1_amd64.deb
 d3dd61cb463e5adfbcc5700943df0c6f3f08d1d2 11186 netatalk_3.1.18~ds-1_amd64.buildinfo
 125d7b90507e1bde291a38be818afd05fae7cb41 558880 netatalk_3.1.18~ds-1_amd64.deb
Checksums-Sha256:
 3c3bebac4bf6ecb85f405950bf1a60ed5279fbe18676138b6c21997e03edaeaa 2486 netatalk_3.1.18~ds-1.dsc
 b03fb83b6b91a7e1ba28825aba36985f66200badc8636f287b8191e320382dbf 841336 netatalk_3.1.18~ds.orig.tar.xz
 2abea326a933b749baf252f5cfefed73d39e0805f0d611cdaccad061103c57cc 39324 netatalk_3.1.18~ds-1.debian.tar.xz
 ba6cf0d73b96297f18f8c731c2816b22a25ba09ca9ebeca62ca396c3e3bad4ba 1158388 netatalk-dbgsym_3.1.18~ds-1_amd64.deb
 85a28db8c7a4b5ce56fdafbf9ad8e5e30a37afb7a2aa6a2648f6c669bf8c5281 11186 netatalk_3.1.18~ds-1_amd64.buildinfo
 d101175113c3f69965ff408cd0cbab341c565812e6827a0f68d426e1de60004f 558880 netatalk_3.1.18~ds-1_amd64.deb
Files:
 ae18c5fa82b94097301864db41ff815e 2486 net optional netatalk_3.1.18~ds-1.dsc
 c9b8136b4539ddd07469dba2ed1a6b8e 841336 net optional netatalk_3.1.18~ds.orig.tar.xz
 1d596d567c5fd70a0f91d5db4a8d675e 39324 net optional netatalk_3.1.18~ds-1.debian.tar.xz
 4e6e8fd900eede12aba5fdf6ee88ed66 1158388 debug optional netatalk-dbgsym_3.1.18~ds-1_amd64.deb
 7a55e79f9ef74cb36e0dce97e71399df 11186 net optional netatalk_3.1.18~ds-1_amd64.buildinfo
 631075515a8ca564b81f5c06e777014a 558880 net optional netatalk_3.1.18~ds-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmUfkYkACgkQLHwxRsGg
ASGqRRAAl/YIpJQv4nldwTRYJwjZNn+vhE1/u19FFcnbb8JSBxFfOEz93IZbrMRc
jmMDtOnoRGFBEwLLYhFB1YWJoqAyCzusPPz0KkyoKSvKAD24SEv0d0qbHB6t9q79
ef4aY1a1IEeo04nbuRQ+yx5PG8tYI4Hi4GIL+yFrzwHG8XI00ryDzZuyY+ySRcY1
WwR69wGmdGmuI36hCMFI3WkuvifVqhhwut6f3eCsAKFc9XMBtxJKGA8hZAp/8OGg
1o2PcHcQw1Jd0N5Of8meHo1wwgpMoupDWAue8HjnRH1DPa2+7DynfU3Dey1NrEML
WYMTgDL+4f5fB0WNYB7cAwGAGADNLYy2feoPHVHorrlz1sWGF/xfugslRnFzzE2l
RnbBK+yLtZAOSPCTglXStRuzr36lnBlvnKJ/MDD+9hg5Fd+WjAdRlX3huDK/2RIs
u+TtY/yGFvP7nPww4OIejlnRk5X1cR61ROjS/bpVpn7lZHNk5KtJ5y+k2xW2qdKu
QGQ+6z0G+UKCCX3Mjy+8MCnYnjiCKDvNPphUihgKJv0GxHL/2bmU3WkLtfJBAe5d
MjAlwQvuLATad/lM6tiARnMJsR4HYgsDXlI4XMUGJw5Mjphn+fjQQuyvSjRnLabk
+fVgjSEDNQ1LayMkO4dUEj48qbmk8YnOtajaduKuy82oD50BgFY=
=saRz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.