Debian has issued an advisory on December 20: https://www.debian.org/security/2018/dsa-4356 The issue is fixed upstream in 3.1.12: http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => cjw, geiger.david68210, guillomovitch, mageia, marja11, shlomifAssignee: bugsquad => pkg-bugs
Fixed both Cauldron and mga6!
Advisory: ======================== Updated netatalk packages fix security vulnerability: Jacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, allowing an unauthenticated user to execute arbitrary code with root privileges (CVE-2018-1160). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1160 http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html https://www.debian.org/security/2018/dsa-4356 ======================== Updated packages in core/updates_testing: ======================== netatalk-3.1.12-1.mga6 libnetatalk18-3.1.12-1.mga6 libnetatalk-devel-3.1.12-1.mga6 from netatalk-3.1.12-1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugs
Another heavy update. "Netatalk is a freely-available Open Source AFP file server. It also provides a kernel level implementation of the AppleTalk Protocol Suite. A *NIX/*BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP), AppleTalk router, *NIX/*BSD print server, and for accessing AppleTalk printers via Printer Access Protocol (PAP). Included are a number of minor printing and debugging utilities." The 1st CVE ref: https://www.exploit-db.com/exploits/46034 lists a lengthy (but very nicely written) C program to drive the software & test the exploit. Not for us, I think. The 2nd CVE reference: https://www.exploit-db.com/exploits/46048 has something much more compact, but enigmatic. Another CVE ref: https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/ looks more promising - if you have the server set up. It references a script: https://github.com/tenable/poc/blob/master/netatalk/cve_2018_1160/pea.py with a "Usage example" of same; and on the same local network, so it might work for same machine. Perhaps to try.
CC: (none) => lewyssmith
Forgot to check this out, but in fact we have not had an update to test on this before.
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Did a little reading on http://netatalk.sourceforge.net/3.1/htmldocs/configuration.html Changed /etc/netatalk/afp.conf to contain basedir regex = /home in an attempt to make sure there is at least one sensible thing in it, then at CLI: # systemctl -l status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ [root@mach6 ~]# systemctl start netatalk [root@mach6 ~]# systemctl -l status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor preset: enabled) Active: active (running) since do 2019-01-10 14:54:18 CET; 4s ago Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ Process: 5224 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS) Main PID: 5226 (netatalk) CGroup: /system.slice/netatalk.service ├─5226 /usr/sbin/netatalk ├─5228 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf └─5229 /usr/sbin/cnid_metad -d -F /etc/netatalk//afp.conf jan 10 14:54:18 mach6.hviaene.thuis systemd[1]: netatalk.service: PID file /var/lock/netatalk not r jan 10 14:54:18 mach6.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macintosh clien jan 10 14:54:18 mach6.hviaene.thuis netatalk[5226]: Netatalk AFP server starting jan 10 14:54:18 mach6.hviaene.thuis netatalk[5226]: Registered with Zeroconf jan 10 14:54:18 mach6.hviaene.thuis cnid_metad[5229]: CNID Server listening on localhost:4700 jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam_load(uams_dhx.so): failed to load: /usr/lib/ata jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam: uams_dhx.so load failure jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam_load(uams_dhx2.so): failed to load: /usr/lib/at jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam: uams_dhx2.so load failure jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: Netatalk AFP/TCP listening on 192.168.2.6:548 So it runs, but to make something really usefull of it, I would need to 1. delve into Apple config parameters 2. have an Apple system to test against. I dnon't have pt2 and I really see myself going into pt1. Leaving OK'ing to the higher powers, but I will not object.
CC: (none) => herman.viaene
I will look at this tomorrow (Mon), surely in a minimalist manner like Herman did. I have studied the pea.py script (c4 last URL), and fell at the 'Known addresses' bunch, which I do not understand at all: "The addresses below will need to be changed for a different target". It is beautifully done, though.
Testing M6/64 @Herman: Thanks for the config page URL. Not so simple... BEFORE the update: * lib[64]netatalk18 does not exist, installed just 'netatalk-2.2.3-11.mga6' * The files in /etc/netatalk/ do not correspond to afp.conf: # ls /etc/netatalk/ afpd.conf AppleVolumes.default atalkd.conf papd.conf afp_ldap.conf AppleVolumes.system netatalk.conf and neither afpd.conf nor netatalk.conf have anything resembling 'basedir', which does not even exist in the entire directory. # systemctl start netatalk # systemctl status netatalk ● netatalk.service - File and Printer sharing for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor pre Active: active (exited) since Llu 2019-01-14 12:35:42 CET; 10s ago Process: 4277 ExecStart=/bin/sh -c exec /usr/libexec/netatalk/netatalk.sh (cod Main PID: 4277 (code=exited, status=0/SUCCESS) CGroup: /system.slice/netatalk.service ├─4283 /usr/sbin/cnid_metad -l log_note └─4286 /usr/sbin/afpd -U uams_dhx.so,uams_dhx2.so -g nobody -c 20 -n Ion 14 12:35:42 localhost.localdomain systemd[1]: Starting File and Printer shar Ion 14 12:35:42 localhost.localdomain systemd[1]: Started File and Printer shari Ion 14 12:35:42 localhost.localdomain afpd[4286]: AFP/TCP started, advertising 1 # systemctl stop netatalk --------------------------------------------------------- The UPDATE: This is a major jump, from 2.2.3 to 3.1.12 Selecting just 'netatalk' to update also pulled in (good): - lib64netatalk18-3.1.12-1.mga6.x86_64 - perl-IO-Socket-INET6-2.720.0-6.mga6.noarch along with - netatalk-3.1.12-1.mga6.x86_64 *Problem*: Failed to do transaction 1 A problem arose while installing package: file /usr/share/doc/netatalk/config.example from install of netatalk-4:3.1.12-1.mga6.x86_64 conflicts with file from package netatalk-4:2.2.3-11.mga6.x86_64 I had not looked here beforehand. In fact 'file' = *directory*, at this point: $ ls -l /usr/share/doc/netatalk/config.example/ -rw-r--r-- 1 root root 20106 Chw 12 2016 afpd.conf -rw-r--r-- 1 root root 9615 Chw 12 2016 AppleVolumes.default -rw-r--r-- 1 root root 25682 Ebr 26 2012 AppleVolumes.system -rw-r--r-- 1 root root 1059 Ebr 4 2012 atalkd.conf -rw-r--r-- 1 root root 2016 Ebr 26 2012 netatalk.conf -rw-r--r-- 1 root root 334 Rha 5 2011 netatalk.pam-system-auth -rw-r--r-- 1 root root 1479 Ebr 4 2012 papd.conf which all look pre-update # CONFIGURATION FOR AFPD (Netatalk 2.x in afpd.conf The update did not happen. Asking for 'feedback'.
Keywords: (none) => feedback
The package will need a %pretrans that deletes /usr/share/doc/netatalk/config.example
Actually the issue came from the SPEC copying SOURCE2 (netatalk.pam-system-auth) to config.example, which it assumed was a directory (which it used to be), and because the cp command didn't have a / at the end, which would have caught this issue, it copied netatalk.pam-system-auth to a *file* called config.example, which replaced the directory. The correct fix was to just retain the file's original name and install it as such. Fixed in netatalk-3.1.12-1.1.mga6.
Keywords: feedback => (none)
(In reply to David Walser from comment #10) > Fixed in netatalk-3.1.12-1.1.mga6. Thank you David. M6/64: Repeating the update from comment 8: - lib64netatalk18-3.1.12-1.1.mga6.x86_64 - netatalk-3.1.12-1.1.mga6.x86_64 - perl-IO-Socket-INET6-2.720.0-6.mga6.noarch worked fine. Following Herman c6: Changed /etc/netatalk/afp.conf to contain basedir regex = /home [and for good measure] path = /home/lewis # systemctl stop netatalk # systemctl start netatalk # systemctl status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor pre Active: active (running) since Sad 2019-02-02 11:36:17 CET; 7s ago Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ Process: 23138 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS) Main PID: 23140 (netatalk) CGroup: /system.slice/netatalk.service ├─23140 /usr/sbin/netatalk ├─23141 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf └─23143 /usr/sbin/cnid_metad -d -F /etc/netatalk//afp.conf Chw 02 11:36:17 localhost.localdomain systemd[1]: netatalk.service: PID file /va Chw 02 11:36:17 localhost.localdomain netatalk[23140]: Netatalk AFP server start Chw 02 11:36:17 localhost.localdomain netatalk[23140]: Registered with Zeroconf Chw 02 11:36:17 localhost.localdomain systemd[1]: Started Netatalk AFP fileserve Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam_load(uams_dhx.so): failed Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam: uams_dhx.so load failure Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam_load(uams_dhx2.so): faile Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam: uams_dhx2.so load failur Chw 02 11:36:17 localhost.localdomain cnid_metad[23143]: CNID Server listening o Chw 02 11:36:17 localhost.localdomain afpd[23141]: Netatalk AFP/TCP listening on [the 4 'uam' fail lines in red] which is very different from before, but the same as Herman got comment 6 from the package installation.. # ps -ax | grep afpd 23141 ? S 0:00 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf I am unsure about the failures re 'uams_dhx.so' & 'uams_dhx2.so'. Do these matter? Mentioned in: http://netatalk.sourceforge.net/2.0/htmldocs/afpd.conf.5.html Authentication Methods -uamlist [uams list] [but there is no /etc/netatalk/afpd.conf ; should there be?]. I might try later the pea.py test, the last mentioned in comment 4; not with any hope, though. What do you others think to the 'clean update' we now have? Anyone doing this would need to re-configure the software anyway, I think.
> I might try later the pea.py test, the last mentioned in c4; I had already looked at it: comment 7 ... So I think this has to be OK'd as-is; advisory done from comments 3 + 10.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0061.html
Status: NEW => RESOLVEDResolution: (none) => FIXED