Debian Bug report logs -
#1052087
CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
:
Bug#1052087
; Package netatalk
.
(Sun, 17 Sep 2023 12:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Markstedt <daniel@mindani.net>
:
New Bug report received and forwarded. Copy sent to Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
.
(Sun, 17 Sep 2023 12:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
A 0-day vulnerability patch has been published for the upstream project.
The CVE record has not been made public yet, but this is the body of the
advisory for the record:
A Type Confusion vulnerability was found in the Spotlight RPC functions
in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one
encoded data structure is a key-value style dictionary where the keys
are character strings, and the values can be any of the supported types
in the underlying protocol. Due to a lack of type checking in callers of
the dalloc_value_for_key() function, which returns the object associated
with a key, a malicious actor may be able to fully control the value of
the pointer and theoretically achieve Remote Code Execution on the host.
The underlying code for Spotlight queries in Netatalk shares a common
heritage with Samba, and hence the root cause and fix are logically
identical with those described in CVE-2023-34967.
https://github.com/Netatalk/netatalk/issues/486
-- System Information:
Debian Release: 10.13
APT prefers oldoldstable
APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages netatalk depends on:
ii libacl1 2.2.53-4
ii libattr1 1:2.4.48-4
ii libavahi-client3 0.7-4+deb10u1
ii libavahi-common3 0.7-4+deb10u1
ii libc6 2.28-10+deb10u1
ii libdb5.3 5.3.28+dfsg1-0.5
ii libdbus-1-3 1.12.20-0+deb10u1
ii libdbus-glib-1-2 0.110-4
ii libgcrypt20 1.8.4-5+deb10u1
ii libglib2.0-0 2.58.3-2+deb10u3
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u7
ii libpam-modules 1.3.1-5
ii libpam0g 1.3.1-5
ii libtalloc2 2.1.14-2
ii libtdb1 1.3.16-2+b1
ii libtracker-sparql-2.0-0 2.1.8-2
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii netbase 5.6
ii perl 5.28.1-6+deb10u1
Versions of packages netatalk recommends:
ii avahi-daemon 0.7-4+deb10u1
ii dbus 1.12.20-0+deb10u1
ii lsof 4.91+dfsg-1
ii procps 2:3.3.15-2
ii python3 3.7.3-1
ii python3-dbus 1.2.8-3
ii tracker 2.1.8-2
Versions of packages netatalk suggests:
pn quota <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
:
Bug#1052087
; Package netatalk
.
(Sun, 17 Sep 2023 13:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Markstedt <daniel@mindani.net>
:
Extra info received and forwarded to list. Copy sent to Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
.
(Sun, 17 Sep 2023 13:03:02 GMT) (full text, mbox, link).
Message #10 received at 1052087@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 3.1.15~ds-3 in unstable.
stable isn't distributing a netatalk package.
[Message part 2 (text/html, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Sep 2023 13:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Sep 17 17:52:32 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.