Bug#1060773: Filed an upload request to release team
I prepared a deb patch and filed this upload request with the release team: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
Bug#1053545: CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing
Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Under very specific circumstances, netatalk can be tricked into copying a symlink or other malicious file from the shared volume into a restricted place in the file system, potentially achieving remote code execution. All versions of netatalk from 3.1.0 to 3.1.17 are vulnerable. The CVE-2022-22995 advisory was published over a year ago, but the details of the exploit weren't disclosed at the time: https://nvd.nist.gov/vuln/detail/cve-2022-22995 It was only recently that we in the upstream team were able to get in touch with original security researchers to gain enough insights to formulate a patch and publish our own security advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
Bug#1052087: Versions affected
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 3.1.15~ds-3 in unstable. stable isn't distributing a netatalk package.
Bug#1052087: CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC
Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole A 0-day vulnerability patch has been published for the upstream project. The CVE record has not been made public yet, but this is the body of the advisory for the record: A Type Confusion vulnerability was found in the Spotlight RPC functions in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. The underlying code for Spotlight queries in Netatalk shares a common heritage with Samba, and hence the root cause and fix are logically identical with those described in CVE-2023-34967. https://github.com/Netatalk/netatalk/issues/486 -- System Information: Debian Release: 10.13 APT prefers oldoldstable APT policy: (500, 'oldoldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii libacl1 2.2.53-4 ii libattr1 1:2.4.48-4 ii libavahi-client3 0.7-4+deb10u1 ii libavahi-common3 0.7-4+deb10u1 ii libc62.28-10+deb10u1 ii libdb5.3 5.3.28+dfsg1-0.5 ii libdbus-1-3 1.12.20-0+deb10u1 ii libdbus-glib-1-2 0.110-4 ii libgcrypt20 1.8.4-5+deb10u1 ii libglib2.0-0 2.58.3-2+deb10u3 ii libldap-2.4-22.4.47+dfsg-3+deb10u7 ii libpam-modules 1.3.1-5 ii libpam0g 1.3.1-5 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtracker-sparql-2.0-0 2.1.8-2 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii netbase 5.6 ii perl 5.28.1-6+deb10u1 Versions of packages netatalk recommends: ii avahi-daemon 0.7-4+deb10u1 ii dbus 1.12.20-0+deb10u1 ii lsof 4.91+dfsg-1 ii procps2:3.3.15-2 ii python3 3.7.3-1 ii python3-dbus 1.2.8-3 ii tracker 2.1.8-2 Versions of packages netatalk suggests: pn quota -- no debconf information
Bug#1051066: [Pkg-netatalk-devel] Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
--- Original Message --- On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard wrote: > > This is one bugreport about multiple issues. That easily gets confusing > to track, e.g. if some of the issues are solved and some are not, for a > certain release of the package (and consequently a Debian release where > that package release is included). > > It is generally easier to track when instead filing one bugreport per > issue. > I can see how this is the preferred approach for a clean tracking of each security issue. In this case it gets a bit hairy since we have cases where one patch fixed multiple CVEs, and elsewhere multiple patches were required to fix regressions introduced by a CVE fix. It was a journey of >1 year to get to the present state. > I tried lookup one of above CVEs inn the Debian security tracker: > https://security-tracker.debian.org/tracker/CVE-2022-43634 > > It references an already filed bugreport about that issue, bug#1034170, > which is tagged as found only as early as 3.1.14~ds-1. If earlier > Debian package releases are also affected by that particular issue, then > please update that bugreport to reflect that fact. > > This bugreport is flagged as "archived" (which is done automatically > after being done for a while, to reduce spam). Before doing other > changes you therefore need to first unachive it. > > E.g. something like this: > > bts unarchive 1034170 . found 1034170 3.1.13~ds-1 > Will do, thanks for the command. > The other CVEs seemingly have no related bugreport (from a quick look at > the security tracker - but I suspect that database does not list > bugreports not involving the security team at first, and only later > mentioning a CVE if at all). If you don't happen to be aware of > bugreports exisisting for those other issues, then I suggest to file new > individual bugreports for each issue (also because it is easy to merge > issues later as needed). > That's a fairly big undertaking, especially if clean and atomic patches are required for each... I was really hoping the batch approach would be accepted. That said I can definitely create the individual bug tickets for starters and we can take it from there. Let me set aside some time next week for this. > > Kind regards, and thanks a lot for looking into this, > > - Jonas > You're welcome! Daniel
Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
To add the justification for the critical severity of this ticket: At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian system running non-patched netatalk. CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121, CVE-2022-0194
Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
Package: netatalk Version: 3.1.12~ds-8 Severity: critical Tags: patch security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Nine CVE security advisories were addressed in netatalk upstream releases between 3.1.13 and 3.1.15. The full list is below: CVE-2022-45188 CVE-2022-43634 CVE-2022-23125 CVE-2022-23124 CVE-2022-23123 CVE-2022-23122 CVE-2022-23121 CVE-2022-0194 CVE-2021-31439 Current status of patching these vulnerabilities: - netatalk oldoldstable has already been patched by the Security Team. - netatalk unstable has already been patched by the maintainer team. - The netatalk package was excluded from stable, no action required. - What remains is to patch oldstable, hence this ticket. A debpatch has been attached to the related Release bug ticket, where approval to proceed with an oldstable release has been requested. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325 -- System Information: Debian Release: 11.7 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii init-system-helpers 1.60 ii libacl1 2.2.53-10 ii libavahi-client3 0.8-5+deb11u2 ii libavahi-common3 0.8-5+deb11u2 ii libc62.31-13+deb11u6 ii libcrack22.9.6-3.4 ii libcrypt11:4.4.18-4 ii libdb5.3 5.3.28+dfsg1-0.8 ii libdbus-glib-1-2 0.110-6 ii libevent-2.1-7 2.1.12-stable-1 ii libgcrypt20 1.8.7-6 ii libglib2.0-0 2.66.8-1 ii libgssapi-krb5-2 1.18.3-6+deb11u3 ii libkrb5-31.18.3-6+deb11u3 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii libmariadb3 1:10.5.19-0+deb11u2 ii libpam-modules 1.4.0-9+deb11u1 ii libpam0g 1.4.0-9+deb11u1 ii libssl1.11.1.1n-0+deb11u4 ii libtalloc2 2.3.1-2+b1 ii libtdb1 1.4.3-1+b1 ii libtracker-sparql-2.0-0 2.3.6-2 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii netbase 6.3 ii perl 5.32.1-4+deb11u2 Versions of packages netatalk recommends: ii avahi-daemon 0.8-5+deb11u2 ii cracklib-runtime 2.9.6-3.4 ii dbus 1.12.24-0+deb11u1 ii lsof 4.93.2+dfsg-1.1 ii procps2:3.3.17-5 ii python3 3.9.2-3 ii python3-dbus 1.2.16-5 ii tracker 2.3.6-2 Versions of packages netatalk suggests: pn quota -- no debconf information
Bug#1025011: Release request filed
For the record, I have filed a request with the Release Team now to get the green light to upload Bullseye packages. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
Bug#1025011: [Pkg-netatalk-devel] Bug#1025011: fixed in netatalk 3.1.15~ds-1
On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff wrote: > [...] > It's nice that there's renewed interest, but this involves also taking > care of netatalk in stable, there's a range of issues (full list at > https://security-tracker.debian.org/tracker/source-package/netatalk) > which need to be backported to bullseye-security. > > I'm reopening the bug, it can be closed with the respective upload > to bullseye-security. > > Cheers, > Moritz > Since both buster and bullseye use the same base version of netatalk (3.1.12) the work required here should be straight-forward: Simply bring over the CVE patchset that were applied to buster-security. A snippet from `apt source netatalk` on buster: [...] dpkg-source: info: applying CVE-2022-45188.patch dpkg-source: info: applying CVE-2022-43634.patch dpkg-source: info: applying CVE-2022-23125.patch dpkg-source: info: applying CVE-2022-23121.patch dpkg-source: info: applying CVE-2021-31439.patch dpkg-source: info: applying CVE-2022-23123_part1.patch dpkg-source: info: applying CVE-2022-23123_part2.patch dpkg-source: info: applying CVE-2022-23123_part3.patch dpkg-source: info: applying CVE-2022-23123_part4.patch dpkg-source: info: applying CVE-2022-23123_part5.patch dpkg-source: info: applying CVE-2022-23121_regression.patch The only real difference between buster and bullseye netatalk 3.1.12 is that the latter have a few extra backported crashfixes etc. I had a quick look and concluded that they shouldn't interfere with the CVE patches. I'd be happy to try to achieve the "upload to bullseye-security" if you all can give me some pointers. This is all new to me. Best regards, Daniel
