[Pkg-netatalk-devel] Bug#1036740: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Markus Koschany
apo at debian.org
Fri May 26 21:11:01 BST 2023
Am Donnerstag, dem 25.05.2023 um 19:22 -0700 schrieb Daniel Markstedt:
> [...]
> Thank you very much for taking swift action on this!
> Please forgive my ignorance here, but are these patches active already
> if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster?
> Or do they have to be picked up by some build process that hasn't run yet?
Those patches are already applied. You can download the source package of
netatalk with
apt source netatalk
They are located in the debian/patches directory and are listed in the
debian/patches/series file.
>
> I'm asking because I ran a few tests now and while EA metadata works,
> the appledouble v2 metadata functionality is definitely broken, even
> when you create a new shared volume from scratch.
>
> dmark at buster:~$ apt show netatalk
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u1
> ...
> May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path,
> ad, pst) failed: Input/output error
> May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23
> at 10.36.39 AM.png): bad resource fork
> May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182,
> len: 8
> May 25 18:51:08 buster afpd[7415]:
> ad_header_read(/home/dmark/afp-data): malformed AppleDouble
>
> So either more patches have to be cherry-picked or I need to be patient. :)
Could you tell me which exact commands were used, so that I can try to
reproduce the problem?
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20230526/04dcde2e/attachment.sig>
More information about the pkg-netatalk-devel
mailing list