| Summary: | netatalk new security issue CVE-2022-45188 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, marja11, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | netatalk-3.1.12-9.mga9.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 30288 | ||
|
Description
David Walser
2022-12-09 17:43:38 CET
David Walser
2022-12-09 17:43:59 CET
Blocks:
(none) =>
30288 Assigning to all packagers collectively, since there is no registered maintainer. CC:
(none) =>
marja11 David Geiger has built an update to upstream 3.1.14: netatalk-3.1.14-1.mga8 libnetatalk-devel-3.1.14-1.mga8 libnetatalk18-3.1.14-1.mga8 from netatalk-3.1.14-1.mga8.src.rpm Awaiting confirmation on which CVEs it fixes. CC:
(none) =>
geiger.david68210 CVE-2022-45188 seems not yet fixed upstream. Indeed, but you can add this patch for it: https://build.opensuse.org/package/view_file/SUSE:SLE-12:Update/netatalk/netatalk-CVE-2022-45188.patch?expand=1 patch added on both mga8 and Cauldron! netatalk-3.1.14-1.1.mga8 libnetatalk-devel-3.1.14-1.1.mga8 libnetatalk18-3.1.14-1.1.mga8 from netatalk-3.1.14-1.1.mga8.src.rpm Fixing CVE-2022-45188 and the CVEs listed here: https://bugs.mageia.org/show_bug.cgi?id=30288#c5 Assignee:
pkg-bugs =>
qa-bugs MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 30287 for testing # systemctl start netatalk # systemctl -l status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; disabled; vendor preset: d> Active: active (running) since Mon 2023-02-06 09:46:29 CET; 29s ago Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ Process: 6180 ExecStartPre=/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/net> Process: 6181 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS) Main PID: 6183 (netatalk) Tasks: 4 (limit: 4364) Memory: 7.8M CPU: 1.468s CGroup: /system.slice/netatalk.service ├─6183 /usr/sbin/netatalk ├─6184 /usr/sbin/afpd -d -F /etc/netatalk/afp.conf └─6185 /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf Feb 06 09:46:28 mach7.hviaene.thuis systemd[1]: Starting Netatalk AFP fileserver for Maci> Feb 06 09:46:28 mach7.hviaene.thuis systemd-tmpfiles[6180]: Failed to open '/usr/lib/tmpf> Feb 06 09:46:29 mach7.hviaene.thuis systemd[1]: netatalk.service: Can't open PID file /va> Feb 06 09:46:29 mach7.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macin> This laptop doesn't have python2 anymore, so went for the version of the testscript papoteur uploaded, so $ python pea3.py -i 192.168.2.7 -lv [+] Attempting connection to 192.168.2.7:548 [+] Connected! [+] Sending exploit to overwrite preauth_switch data. [+] Listing volumes Traceback (most recent call last): File "pea3.py", line 288, in <module> list_volumes(sock) File "pea3.py", line 113, in list_volumes send_request(sock, b"\x00\x01", afp_getsrvrparms, "") File "pea3.py", line 74, in send_request data += param_string TypeError: can't concat str to bytes The ipaddress is the own laptop. So base don a similar result as in bug 30287, having a working setup and connection, giving the OK. Whiteboard:
(none) =>
MGA8-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2023-02-06 21:58:26 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0027.html Resolution:
(none) =>
FIXED This update also fixed CVE-2022-43634: https://lists.suse.com/pipermail/sle-security-updates/2023-February/013706.html |