Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard wrote: > > Quoting Salvatore Bonaccorso (2023-06-04 07:39:12) > > Hi Daniel, > > > > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > > > -- Forwarded message -- > > > > From: Markus Koschany > > > > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > > > > Cc: debian-...@lists.debian.org > > > > Bcc: > > > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault > > > > with valid metadata > > > > Version: 3.1.12~ds-3+deb10u2 > > > > > > > > Thanks for your report and the detailed replies. I could reproduce the > > > > problem > > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. > > > > After > > > > applying a new patch to fix it, the AppleDouble v2 format seems to work > > > > as > > > > intended again. I'm going to close this bug report now. > > > > > > > > Best, > > > > > > > > Markus > > > > > > > > > > Thank you Markus for narrowing down the problem and fixing it! > > > I can confirm that appledouble=v2 works in my environment now too. > > > > > > So this covers the outstanding CVEs for oldstable now; > > > are you already preparing to port the same patchset to stable as well? > > > > > > I can file another bug report if it helps. > > > > No other reports needed, since all were reported. For the bookworm > > release they would be fixed, for the current stable (bullseye) we > > explicitly asked the maintainer trough > > https://bugs.debian.org/1025011#15 . So we are waiting for the > > netatalk maintainers to propose an update here for bullseye-security. > > @Salvatore: In addition to being upstream developer, Daniel has also > joined the Debian packaging team. > Salvatore, I left a comment over at that bug. It should be easy to accomplish if I can learn how to contribute patches to security releases. > @Daniel: Debian issue tracker - debbugs - can be confusing from an > upstream POV, due to it being distro-centric: Some issues are not about > upstream code but "meta" about distro organization - e.g. bug#1025011 > which is not about netatalk but about *attention* for netatalk and > therefore open despite netatalk itself has no bugs. Also, issues tied to > upstream projects is tracked across multiple Debian releases, so can be > both fixed and unfixed depending on release scope. > > What is double confusing here is that no bugreport exists in Debian for > tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral > damage in fixing that CVE for oldstable, and bug#1025011 is about > meta-discussion only indirectly involving that same CVE. > > All in all: Yes, please file a bugreport about CVE-2022-23123 - and then > tag it as closed with package release 3.1.15~ds-1, which makes that > bugreport "fixed" for the scope of Debian testing and unstable, but > unfixed for the scope of Debian stabel. > > > Hope that helps. > > - Jonas > Jonas, definitely a helpful summary, thanks! However, I assume you mean CVE-2022-45188 for bookworm regarding filing a bug to resolve an already resolved CVE? This one was fixed with 3.1.15 but due to a typo in the commit message was left as unresolved, if I'm not mistaken. As far as I can tell, CVE-2022-23123 is already properly flagged as resolved both for bookworm and sid. Please let me know if there's something I overlooked here! Best, Daniel
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
Quoting Salvatore Bonaccorso (2023-06-04 07:39:12) > Hi Daniel, > > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > > -- Forwarded message -- > > > From: Markus Koschany > > > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > > > Cc: debian-...@lists.debian.org > > > Bcc: > > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault > > > with valid metadata > > > Version: 3.1.12~ds-3+deb10u2 > > > > > > Thanks for your report and the detailed replies. I could reproduce the > > > problem > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > > > applying a new patch to fix it, the AppleDouble v2 format seems to work as > > > intended again. I'm going to close this bug report now. > > > > > > Best, > > > > > > Markus > > > > > > > Thank you Markus for narrowing down the problem and fixing it! > > I can confirm that appledouble=v2 works in my environment now too. > > > > So this covers the outstanding CVEs for oldstable now; > > are you already preparing to port the same patchset to stable as well? > > > > I can file another bug report if it helps. > > No other reports needed, since all were reported. For the bookworm > release they would be fixed, for the current stable (bullseye) we > explicitly asked the maintainer trough > https://bugs.debian.org/1025011#15 . So we are waiting for the > netatalk maintainers to propose an update here for bullseye-security. @Salvatore: In addition to being upstream developer, Daniel has also joined the Debian packaging team. @Daniel: Debian issue tracker - debbugs - can be confusing from an upstream POV, due to it being distro-centric: Some issues are not about upstream code but "meta" about distro organization - e.g. bug#1025011 which is not about netatalk but about *attention* for netatalk and therefore open despite netatalk itself has no bugs. Also, issues tied to upstream projects is tracked across multiple Debian releases, so can be both fixed and unfixed depending on release scope. What is double confusing here is that no bugreport exists in Debian for tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral damage in fixing that CVE for oldstable, and bug#1025011 is about meta-discussion only indirectly involving that same CVE. All in all: Yes, please file a bugreport about CVE-2022-23123 - and then tag it as closed with package release 3.1.15~ds-1, which makes that bugreport "fixed" for the scope of Debian testing and unstable, but unfixed for the scope of Debian stabel. Hope that helps. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
Hi Daniel, On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > -- Forwarded message -- > > From: Markus Koschany > > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > > Cc: debian-...@lists.debian.org > > Bcc: > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with > > valid metadata > > Version: 3.1.12~ds-3+deb10u2 > > > > Thanks for your report and the detailed replies. I could reproduce the > > problem > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > > applying a new patch to fix it, the AppleDouble v2 format seems to work as > > intended again. I'm going to close this bug report now. > > > > Best, > > > > Markus > > > > Thank you Markus for narrowing down the problem and fixing it! > I can confirm that appledouble=v2 works in my environment now too. > > So this covers the outstanding CVEs for oldstable now; > are you already preparing to port the same patchset to stable as well? > > I can file another bug report if it helps. No other reports needed, since all were reported. For the bookworm release they would be fixed, for the current stable (bullseye) we explicitly asked the maintainer trough https://bugs.debian.org/1025011#15 . So we are waiting for the netatalk maintainers to propose an update here for bullseye-security. Regards, Salvatore
Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
> -- Forwarded message -- > From: Markus Koschany > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > Cc: debian-...@lists.debian.org > Bcc: > Date: Thu, 01 Jun 2023 19:54:55 +0200 > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with > valid metadata > Version: 3.1.12~ds-3+deb10u2 > > Thanks for your report and the detailed replies. I could reproduce the problem > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > applying a new patch to fix it, the AppleDouble v2 format seems to work as > intended again. I'm going to close this bug report now. > > Best, > > Markus > Thank you Markus for narrowing down the problem and fixing it! I can confirm that appledouble=v2 works in my environment now too. So this covers the outstanding CVEs for oldstable now; are you already preparing to port the same patchset to stable as well? I can file another bug report if it helps. Best, Daniel
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
On Fri, May 26, 2023 at 1:15 PM Markus Koschany wrote: > > Could you tell me which exact commands were used, so that I can try to > reproduce the problem? > Do by any chance have access to a Mac of any vintage? It could be a brand new machine running the latest macOS or a classic Mac from the 90s running at least System Software 7.1 The problem occurs when the AFP client attempts to create the Mac file system metadata (aka resource forks on Classic Mac OS, or extended attributes on OSX.) Netatalk should be configured something like this: dmark@buster:~$ cat /etc/netatalk/afp.conf [Global] zeroconf name = Buster uam list = uams_clrtxt.so uams_dhx2.so [Homes] basedir regex = /home appledouble = v2 After authenticating with the netatalk server on the Mac, attempt to copy any file to the shared volume. You should get an instant error -50 in Mac OS, and see the aforementioned errors in the logs.
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Am Donnerstag, dem 25.05.2023 um 19:22 -0700 schrieb Daniel Markstedt: > [...] > Thank you very much for taking swift action on this! > Please forgive my ignorance here, but are these patches active already > if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster? > Or do they have to be picked up by some build process that hasn't run yet? Those patches are already applied. You can download the source package of netatalk with apt source netatalk They are located in the debian/patches directory and are listed in the debian/patches/series file. > > I'm asking because I ran a few tests now and while EA metadata works, > the appledouble v2 metadata functionality is definitely broken, even > when you create a new shared volume from scratch. > > dmark@buster:~$ apt show netatalk > Package: netatalk > Version: 3.1.12~ds-3+deb10u1 > ... > May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path, > ad, pst) failed: Input/output error > May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23 > at 10.36.39 AM.png): bad resource fork > May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, > len: 8 > May 25 18:51:08 buster afpd[7415]: > ad_header_read(/home/dmark/afp-data): malformed AppleDouble > > So either more patches have to be cherry-picked or I need to be patient. :) Could you tell me which exact commands were used, so that I can try to reproduce the problem? Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
On Thu, May 25, 2023 at 3:39 AM Markus Koschany wrote: > > Hello Daniel, > > Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso: > > > > > > These two commits in upstream addressed this: > > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b > > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 > > Both patches have been backported to Buster. You can find them as CVE-2022- > 23123_part3.patch and CVE-2022-23123_part4.patch. > > Did we miss something else? > > Regards, > > Markus Salvatore, Markus, Thank you very much for taking swift action on this! Please forgive my ignorance here, but are these patches active already if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster? Or do they have to be picked up by some build process that hasn't run yet? I'm asking because I ran a few tests now and while EA metadata works, the appledouble v2 metadata functionality is definitely broken, even when you create a new shared volume from scratch. dmark@buster:~$ apt show netatalk Package: netatalk Version: 3.1.12~ds-3+deb10u1 ... May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path, ad, pst) failed: Input/output error May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23 at 10.36.39 AM.png): bad resource fork May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, len: 8 May 25 18:51:08 buster afpd[7415]: ad_header_read(/home/dmark/afp-data): malformed AppleDouble So either more patches have to be cherry-picked or I need to be patient. :)
Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Hello Daniel, Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso: > > > > These two commits in upstream addressed this: > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 Both patches have been backported to Buster. You can find them as CVE-2022- 23123_part3.patch and CVE-2022-23123_part4.patch. Did we miss something else? Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Control: forwarded -1 https://github.com/Netatalk/netatalk/pull/174 Hi Daniel, On Wed, May 24, 2023 at 10:50:41PM -0700, Daniel Markstedt wrote: > Package: netatalk > Version: 3.1.12~ds-3+deb10u1 > X-Debbugs-Cc: t...@security.debian.org > > The code that addressed CVE-2022-23123 introduced appledouble metadata > validity assertions that were too strict and caused instant segfaults > with valid metadata for a large number of users. > > These two commits in upstream addressed this: > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 > > For the full discussion see this PR: > https://github.com/Netatalk/netatalk/pull/174 > > I would recommend accepting these patches into oldstable, as well as > stable once the CVE patches get ported there too. Thanks for the report. Forwarding it as well to the debian-lts list (FTR if you use reportbug, it chooses the right X-Debbugs-CC as well for such regression reports, if they match some criteria). Regards, Salvatore
Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Package: netatalk Version: 3.1.12~ds-3+deb10u1 X-Debbugs-Cc: t...@security.debian.org The code that addressed CVE-2022-23123 introduced appledouble metadata validity assertions that were too strict and caused instant segfaults with valid metadata for a large number of users. These two commits in upstream addressed this: https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 For the full discussion see this PR: https://github.com/Netatalk/netatalk/pull/174 I would recommend accepting these patches into oldstable, as well as stable once the CVE patches get ported there too.
