Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole
A 0-day vulnerability patch has been published for the upstream project. The CVE record has not been made public yet, but this is the body of the advisory for the record: A Type Confusion vulnerability was found in the Spotlight RPC functions in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. The underlying code for Spotlight queries in Netatalk shares a common heritage with Samba, and hence the root cause and fix are logically identical with those described in CVE-2023-34967. https://github.com/Netatalk/netatalk/issues/486 -- System Information: Debian Release: 10.13 APT prefers oldoldstable APT policy: (500, 'oldoldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii libacl1 2.2.53-4 ii libattr1 1:2.4.48-4 ii libavahi-client3 0.7-4+deb10u1 ii libavahi-common3 0.7-4+deb10u1 ii libc6 2.28-10+deb10u1 ii libdb5.3 5.3.28+dfsg1-0.5 ii libdbus-1-3 1.12.20-0+deb10u1 ii libdbus-glib-1-2 0.110-4 ii libgcrypt20 1.8.4-5+deb10u1 ii libglib2.0-0 2.58.3-2+deb10u3 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u7 ii libpam-modules 1.3.1-5 ii libpam0g 1.3.1-5 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtracker-sparql-2.0-0 2.1.8-2 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii netbase 5.6 ii perl 5.28.1-6+deb10u1 Versions of packages netatalk recommends: ii avahi-daemon 0.7-4+deb10u1 ii dbus 1.12.20-0+deb10u1 ii lsof 4.91+dfsg-1 ii procps 2:3.3.15-2 ii python3 3.7.3-1 ii python3-dbus 1.2.8-3 ii tracker 2.1.8-2 Versions of packages netatalk suggests: pn quota <none> -- no debconf information