Bug 33381

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. (CVE-2024-38439)

Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).'. (CVE-2024-38440)

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. (CVE-2024-38441)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM3M423DHSUBERDIYCFHYY6XF2CAAMA2/
========================

Updated packages in core/updates_testing:
========================
lib(64)netatalk18-3.1.14-2.4.mga9
lib(64)netatalk-devel-3.1.14-2.4.mga9
netatalk-3.1.14-2.4.mga9

from SRPM:
netatalk-3.1.14-2.4.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 3.2.1 and 3.1.19, patch available from upstream => (none)
Status: NEW => ASSIGNED
Source RPM: netatalk-3.2.0-1.mga10.src.rpm, netatalk-3.1.14-2.3.mga9.src.rpm => netatalk-3.1.14-2.3.mga9.src.rpm

LC_ALL=C urpmi netatalk
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  lib64netatalk18                3.1.14       2.4.mga9      x86_64  
  netatalk                       3.1.14       2.4.mga9      x86_64  
1.4MB of additional disk space will be used.
545KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


installing netatalk-3.1.14-2.4.mga9.x86_64.rpm lib64netatalk18-3.1.14-2.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64netatalk18       ##################################################################################################
      2/2: netatalk              ##################################################################################################

References:  Bug#30287 comment#5 , bug#31255 comment#7

systemctl start netatalk
systemctl -l status netatalk
● netatalk.service - Netatalk AFP fileserver for Macintosh clients
     Loaded: loaded (/usr/lib/systemd/system/netatalk.service; disabled; preset: disabled)
     Active: active (running) since Tue 2024-07-09 18:09:12 CST; 26s ago
       Docs: man:afp.conf(5)
             man:netatalk(8)
             man:afpd(8)
             man:cnid_metad(8)
             man:cnid_dbd(8)
             http://netatalk.sourceforge.net/
    Process: 354614 ExecStartPre=/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/netatalk.conf (code=exited, status=0/SUCCESS)
    Process: 354615 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS)
   Main PID: 354617 (netatalk)
      Tasks: 4 (limit: 6904)
     Memory: 4.2M
        CPU: 305ms
     CGroup: /system.slice/netatalk.service
             ├─354617 /usr/sbin/netatalk
             ├─354618 /usr/sbin/afpd -d -F /etc/netatalk/afp.conf
             └─354619 /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf

jul 09 18:09:12 jgrey.phoenix systemd[1]: Starting netatalk.service...
jul 09 18:09:12 jgrey.phoenix systemd[1]: netatalk.service: Can't open PID file /run/lock/netatalk/netatalk (yet?) after start: No s>
jul 09 18:09:12 jgrey.phoenix netatalk[354617]: Netatalk AFP server starting
jul 09 18:09:12 jgrey.phoenix systemd[1]: Started netatalk.service.
jul 09 18:09:12 jgrey.phoenix cnid_metad[354619]: CNID Server listening on localhost:4700
jul 09 18:09:12 jgrey.phoenix netatalk[354617]: Registered with Zeroconf
jul 09 18:09:13 jgrey.phoenix afpd[354618]: Netatalk AFP/TCP listening on 192.168.1.3:548

python3 pea.py -i 192.168.1.3 -lv
[+] Attempting connection to 192.168.1.3:548
[+] Connected!
[+] Sending exploit to overwrite preauth_switch data.
[+] Listing volumes
Traceback (most recent call last):
  File "/home/katnatek/qatest/pea.py", line 288, in <module>
    list_volumes(sock)
  File "/home/katnatek/qatest/pea.py", line 113, in list_volumes
    send_request(sock, b"\x00\x01", afp_getsrvrparms, "")
  File "/home/katnatek/qatest/pea.py", line 74, in send_request
    data += param_string
TypeError: can't concat str to bytes


All looks consistent and also wuth previous round bug#33249

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0259.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED