CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC

Debian Bug report logs - #1052087
CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Markstedt <daniel@mindani.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC

Date: Sun, 17 Sep 2023 12:50:23 +0000

Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole

A 0-day vulnerability patch has been published for the upstream project.

The CVE record has not been made public yet, but this is the body of the
advisory for the record:

A Type Confusion vulnerability was found in the Spotlight RPC functions
in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one
encoded data structure is a key-value style dictionary where the keys
are character strings, and the values can be any of the supported types
in the underlying protocol. Due to a lack of type checking in callers of
the dalloc_value_for_key() function, which returns the object associated
with a key, a malicious actor may be able to fully control the value of
the pointer and theoretically achieve Remote Code Execution on the host.

The underlying code for Spotlight queries in Netatalk shares a common
heritage with Samba, and hence the root cause and fix are logically
identical with those described in CVE-2023-34967.

https://github.com/Netatalk/netatalk/issues/486

-- System Information:
Debian Release: 10.13
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages netatalk depends on:
ii  libacl1                  2.2.53-4
ii  libattr1                 1:2.4.48-4
ii  libavahi-client3         0.7-4+deb10u1
ii  libavahi-common3         0.7-4+deb10u1
ii  libc6                    2.28-10+deb10u1
ii  libdb5.3                 5.3.28+dfsg1-0.5
ii  libdbus-1-3              1.12.20-0+deb10u1
ii  libdbus-glib-1-2         0.110-4
ii  libgcrypt20              1.8.4-5+deb10u1
ii  libglib2.0-0             2.58.3-2+deb10u3
ii  libldap-2.4-2            2.4.47+dfsg-3+deb10u7
ii  libpam-modules           1.3.1-5
ii  libpam0g                 1.3.1-5
ii  libtalloc2               2.1.14-2
ii  libtdb1                  1.3.16-2+b1
ii  libtracker-sparql-2.0-0  2.1.8-2
ii  libwrap0                 7.6.q-28
ii  lsb-base                 10.2019051400
ii  netbase                  5.6
ii  perl                     5.28.1-6+deb10u1

Versions of packages netatalk recommends:
ii  avahi-daemon  0.7-4+deb10u1
ii  dbus          1.12.20-0+deb10u1
ii  lsof          4.91+dfsg-1
ii  procps        2:3.3.15-2
ii  python3       3.7.3-1
ii  python3-dbus  1.2.8-3
ii  tracker       2.1.8-2

Versions of packages netatalk suggests:
pn  quota  <none>

-- no debconf information

Message #10 received at 1052087@bugs.debian.org (full text, mbox, reply):

From: Daniel Markstedt <daniel@mindani.net>

To: "1052087@bugs.debian.org" <1052087@bugs.debian.org>

Subject: Versions affected

Date: Sun, 17 Sep 2023 12:58:49 +0000

[Message part 1 (text/plain, inline)]

Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 3.1.15~ds-3 in unstable.

stable isn't distributing a netatalk package.

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.