[Pkg-netatalk-devel] Bug#1036740: Bug#1036740: closed by Markus Koschany <apo at debian.org> (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

Sun Jun 4 07:07:17 BST 2023

Quoting Salvatore Bonaccorso (2023-06-04 07:39:12)
> Hi Daniel,
> 
> On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote:
> > > ---------- Forwarded message ----------
> > > From: Markus Koschany <apo at debian.org>
> > > To: Daniel Markstedt <markstedt at gmail.com>, 1036740-done at bugs.debian.org
> > > Cc: debian-lts at lists.debian.org
> > > Bcc:
> > > Date: Thu, 01 Jun 2023 19:54:55 +0200
> > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
> > > Version:  3.1.12~ds-3+deb10u2
> > >
> > > Thanks for your report and the detailed replies. I could reproduce the problem
> > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
> > > applying a new patch to fix it, the AppleDouble v2 format seems to work as
> > > intended again. I'm going to close this bug report now.
> > >
> > > Best,
> > >
> > > Markus
> > >
> > 
> > Thank you Markus for narrowing down the problem and fixing it!
> > I can confirm that appledouble=v2 works in my environment now too.
> > 
> > So this covers the outstanding CVEs for oldstable now;
> > are you already preparing to port the same patchset to stable as well?
> > 
> > I can file another bug report if it helps.
> 
> No other reports needed, since all were reported. For the bookworm
> release they would be fixed, for the current stable (bullseye) we
> explicitly asked the maintainer trough
> https://bugs.debian.org/1025011#15 . So we are waiting for the
> netatalk maintainers to propose an update here for bullseye-security.

@Salvatore: In addition to being upstream developer, Daniel has also
joined the Debian packaging team.

@Daniel: Debian issue tracker - debbugs - can be confusing from an
upstream POV, due to it being distro-centric: Some issues are not about
upstream code but "meta" about distro organization - e.g. bug#1025011
which is not about netatalk but about *attention* for netatalk and
therefore open despite netatalk itself has no bugs. Also, issues tied to
upstream projects is tracked across multiple Debian releases, so can be
both fixed and unfixed depending on release scope.

What is double confusing here is that no bugreport exists in Debian for
tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral
damage in fixing that CVE for oldstable, and bug#1025011 is about
meta-discussion only indirectly involving that same CVE.

All in all: Yes, please file a bugreport about CVE-2022-23123 - and then
tag it as closed with package release 3.1.15~ds-1, which makes that
bugreport "fixed" for the scope of Debian testing and unstable, but
unfixed for the scope of Debian stabel.

Hope that helps.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20230604/9720b877/attachment.sig>