[Pkg-netatalk-devel] Bug#1036740: Bug#1036740: closed by Markus Koschany <apo at debian.org> (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

[Daniel Markstedt]

On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Salvatore Bonaccorso (2023-06-04 07:39:12)
> > Hi Daniel,
> >
> > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote:
> > > > ---------- Forwarded message ----------
> > > > From: Markus Koschany <apo at debian.org>
> > > > To: Daniel Markstedt <markstedt at gmail.com>, 1036740-done at bugs.debian.org
> > > > Cc: debian-lts at lists.debian.org
> > > > Bcc:
> > > > Date: Thu, 01 Jun 2023 19:54:55 +0200
> > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
> > > > Version:  3.1.12~ds-3+deb10u2
> > > >
> > > > Thanks for your report and the detailed replies. I could reproduce the problem
> > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
> > > > applying a new patch to fix it, the AppleDouble v2 format seems to work as
> > > > intended again. I'm going to close this bug report now.
> > > >
> > > > Best,
> > > >
> > > > Markus
> > > >
> > >
> > > Thank you Markus for narrowing down the problem and fixing it!
> > > I can confirm that appledouble=v2 works in my environment now too.
> > >
> > > So this covers the outstanding CVEs for oldstable now;
> > > are you already preparing to port the same patchset to stable as well?
> > >
> > > I can file another bug report if it helps.
> >
> > No other reports needed, since all were reported. For the bookworm
> > release they would be fixed, for the current stable (bullseye) we
> > explicitly asked the maintainer trough
> > https://bugs.debian.org/1025011#15 . So we are waiting for the
> > netatalk maintainers to propose an update here for bullseye-security.
>
> @Salvatore: In addition to being upstream developer, Daniel has also
> joined the Debian packaging team.
>

Salvatore, I left a comment over at that bug. It should be easy to
accomplish if I can learn how to contribute patches to security
releases.

> @Daniel: Debian issue tracker - debbugs - can be confusing from an
> upstream POV, due to it being distro-centric: Some issues are not about
> upstream code but "meta" about distro organization - e.g. bug#1025011
> which is not about netatalk but about *attention* for netatalk and
> therefore open despite netatalk itself has no bugs. Also, issues tied to
> upstream projects is tracked across multiple Debian releases, so can be
> both fixed and unfixed depending on release scope.
>
> What is double confusing here is that no bugreport exists in Debian for
> tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral
> damage in fixing that CVE for oldstable, and bug#1025011 is about
> meta-discussion only indirectly involving that same CVE.
>
> All in all: Yes, please file a bugreport about CVE-2022-23123 - and then
> tag it as closed with package release 3.1.15~ds-1, which makes that
> bugreport "fixed" for the scope of Debian testing and unstable, but
> unfixed for the scope of Debian stabel.
>
>
> Hope that helps.
>
>  - Jonas
>

Jonas, definitely a helpful summary, thanks!

However, I assume you mean CVE-2022-45188 for bookworm regarding
filing a bug to resolve an already resolved CVE?
This one was fixed with 3.1.15 but due to a typo in the commit message
was left as unresolved, if I'm not mistaken.

As far as I can tell, CVE-2022-23123 is already properly flagged as
resolved both for bookworm and sid.

Please let me know if there's something I overlooked here!

Best,
Daniel