SUSE has issued an advisory today (April 13): https://lists.suse.com/pipermail/sle-security-updates/2022-April/010700.html The issues are fixed upstream in 3.1.13. 3.1.13 also has fixes for CVE-2022-0194 and CVE-2022-2312[2-4], but the patch that fixed those issues caused a regression, so SUSE reverted it for their update. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 3.1.13Whiteboard: (none) => MGA8TOO
Blocks: (none) => 30288
This package has no formal maintainer, but am assigning this (& its companion 30288) to DavidG who commited version: 3.1.12 - over 3y ago!
Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Remote arbitrary code execution related to dsi_stream_receive(). (CVE-2021-31439) Remote arbitrary code execution related to parse_entries(). (CVE-2022-23121) Remote arbitrary code execution related to copyapplfile(). (CVE-2022-23125) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31439 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23121 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23125 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010700.html ======================== Updated packages in core/updates_testing: ======================== lib(64)netatalk18-3.1.12-7.1.mga8 lib(64)netatalk-devel-3.1.12-7.1.mga8 netatalk-3.1.12-7.1.mga8 from SRPM: netatalk-3.1.12-7.1.mga8.src.rpm
CVE: (none) => CVE-2021-31439, CVE-2022-23121, CVE-2022-23125Status comment: Fixed upstream in 3.1.13 => (none)Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroSource RPM: netatalk-3.1.12-9.mga9.src.rpm => netatalk-3.1.12-7.mga8.src.rpmVersion: Cauldron => 8Status: NEW => ASSIGNEDAssignee: geiger.david68210 => qa-bugs
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Ref bug 26347 Comment 3 for testing. # systemctl start netatalk # systemctl -l status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2022-04-16 10:48:33 CEST; 19s ago Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ Process: 7250 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS) Main PID: 7252 (netatalk) Tasks: 4 (limit: 9402) Memory: 3.3M CPU: 325ms CGroup: /system.slice/netatalk.service ├─7252 /usr/sbin/netatalk ├─7253 /usr/sbin/afpd -d -F /etc/netatalk/afp.conf └─7254 /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: Starting Netatalk AFP fileserver for Macintosh clients... apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: netatalk.service: Can't open PID file /var/lock/netatalk (yet?) after start: Operation not permitted apr 16 10:48:33 mach5.hviaene.thuis netatalk[7252]: Netatalk AFP server starting apr 16 10:48:33 mach5.hviaene.thuis cnid_metad[7254]: CNID Server listening on localhost:4700 apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macintosh clients. apr 16 10:48:33 mach5.hviaene.thuis netatalk[7252]: Registered with Zeroconf apr 16 10:48:33 mach5.hviaene.thuis afpd[7253]: Netatalk AFP/TCP listening on 100.116.48.30:548 Then downloaded the pea.py file from bug 26347, but ran into error: print "[+] Sending exploit to overwrite preauth_switch data." ^ SyntaxError: Missing parentheses in call to 'print'. Did you mean print("[+] Sending exploit to overwrite preauth_switch data.")? I went thru the file and changed all print statements inserting the missing brackets - I will upload the chaneged file Then running again: $ python pea.py -i 100.116.48.30 -lv [+] Attempting connection to 100.116.48.30:548 [+] Connected! [+] Sending exploit to overwrite preauth_switch data. Traceback (most recent call last): File "pea.py", line 286, in <module> do_exploit(sock) File "pea.py", line 46, in do_exploit sock.sendall(data) TypeError: a bytes-like object is required, not 'str' And here I must give up for lack of knowledge how to repair this error, but apparently the connection was made. So I leave it to others to either mend the pea.py file or to decide this test is good enough.
CC: (none) => herman.viaene
Created attachment 13219 [details] test connection
Created attachment 13224 [details] pea.py to python3 Hi Herman, the source was in Python 2 and you try now to use it in Python 3. Either launch it with the python2 command, or try the quick port I have made, without been able to test, to Python3. What I have done is to declare sequences of code to send as bytes, with the b prefix. If I missed some of them, you know what to do.
CC: (none) => yves.brungard_mageia
Tried again with python2 and original pea.py $ python2 pea.py -i 192.168.2.5 -lv [+] Attempting connection to 192.168.2.5:548 [+] Connected! [+] Sending exploit to overwrite preauth_switch data. [+] Listing volumes Traceback (most recent call last): File "pea.py", line 288, in <module> list_volumes(sock) File "pea.py", line 116, in list_volumes afp_data = parse_dsi(resp, 1) File "pea.py", line 87, in parse_dsi (flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload) struct.error: unpack_from requires a buffer of at least 16 bytes The ip address is the own laptop wit firewall open.
I'm going to OK this based on the clean install and the successful connection. If the error express in the last two lines of Comment 6 is reason enough to remove that OK, please do so. For all I know, that error may mean that it is working properly. I don't own anything Apple, so can't investigate it myself. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0196.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED