Your message dated Mon, 01 Jul 2024 09:35:17 +0000
with message-id <e1sodrn-003ubk...@fasolo.debian.org>
and subject line Bug#1074473: fixed in netatalk 3.1.18~ds-2
has caused the Debian Bug report #1074473,
regarding CVE-2024-38439: Heap out-of-bounds write in uams_pam.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074473
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: netatalk
Version: 3.1.18~ds-1+b2
Severity: critical
Tags: security upstream patch
Justification: root security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
This vulnerability in Netatalk arises due to a lack of validation for the
length field after parsing user-provided data, leading to an out-of-bounds heap
write of one byte (\0). Under specific configurations, this can result in an
out-of-bounds write to the metadata of the next heap block, potentially
allowing an attacker to execute code in the root context.
The upstream project has issued a patch and fixed version 3.2.1:
https://netatalk.io/security/CVE-2024-38439
https://github.com/Netatalk/netatalk/commit/77b5d99007cfef4d73d76fd6f0c26584891608e5.diff
https://github.com/Netatalk/netatalk/releases/tag/netatalk-3-2-1
--- End Message ---
--- Begin Message ---
Source: netatalk
Source-Version: 3.1.18~ds-2
Done: Jonas Smedegaard <d...@jones.dk>
We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1074...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated netatalk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Jul 2024 11:09:54 +0200
Source: netatalk
Architecture: source
Version: 3.1.18~ds-2
Distribution: unstable
Urgency: high
Maintainer: Debian Netatalk team <pkg-netatalk-de...@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Closes: 1071945 1074473 1074474 1074475
Changes:
netatalk (3.1.18~ds-2) unstable; urgency=high
.
* update git-buildpackage: adjust debian-branch
* add patches cherry-picked upstream:
+ use pkg-config to find libgcrypt;
closes: bug#1071945, thanks to Andreas Metzler
+ harden user login;
CVE-2024-38439 CVE-2024-38440 CVE-2024-38441;
closes: bug#1074473,#1074474,#1074475
* stop pass now superfluous configure option --with-libgcrypt-dir
* set urgency=high due to security bugfixes
Checksums-Sha1:
ad4125e2f339aa77535260936acd5ec8c85c0a1b 2486 netatalk_3.1.18~ds-2.dsc
24d8f19f35480806e10081a11ab769f79da0053b 41932
netatalk_3.1.18~ds-2.debian.tar.xz
5c8575e84167ad0d4783acbb80f32d8b4a33e5ab 11561
netatalk_3.1.18~ds-2_amd64.buildinfo
Checksums-Sha256:
03176c9b79146f85b22d5e4605d24bd36453fc4aca8143761179a24f11d83790 2486
netatalk_3.1.18~ds-2.dsc
89051ce765d68efbff276d01b2962e9e4835c9528fe893390cbf8c52fb9e8507 41932
netatalk_3.1.18~ds-2.debian.tar.xz
4199deee866012e9f2be4644d9b5efe6aaf5414200814e0764b5648f9083a747 11561
netatalk_3.1.18~ds-2_amd64.buildinfo
Files:
2a53cdb8e3eee19a9a0b3eca1d1f0993 2486 net optional netatalk_3.1.18~ds-2.dsc
1f8e862f3821293d99a9293b6223cea4 41932 net optional
netatalk_3.1.18~ds-2.debian.tar.xz
8dbce38f270d29f6d12327ef22336a3c 11561 net optional
netatalk_3.1.18~ds-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmaCdKoACgkQLHwxRsGg
ASGDLg//VkVM0S75izEP9dvzt0uRK7xmCveivWEQ9PfRBVXZ6Om01M7ifPJBdJnN
NrcqYC65TFOR/Mm8WhTC4Q5NgtXOMPi9KqsUkbHl1x+FGREXE9A3R+n3Wb4vtb8b
nI8qPSftKKWzG2Clp6WRySnEdvtX8z4vR8jILR+x3TyMFBhx9Ya/rcIc4Sp/A2n+
KmQoz61q+0gytyEl4bTWj/MAM6R+b0iEKzgwM3BNcVn9M9aaXr+/TOPuW6iYjK7q
phsGM/ARzlhzM+xc2SF9BYAFhj8ZLDDIFqsTDcyxnIvZgNQ9WjxpcZxMjtPuPD+E
NWaXJeGVVri1/bmfbYRFDi6MgxJYfUDAm0UcNESedo30IL0r57qC3jNRizeCzFGn
iml+yu4WLbEkxKzLGFsXcUGePofgmC1pNGuOB241hx/RXcJQP+u+ySELNh4hK6vs
Lvvx8/Ygd987XXP7i6fdfpwMei44QHrh+UsYw8ao2VtdmVt565uC74uCRj1bXdSR
Kg6xoGHqU8zvwbtlqMo2WifSwMxCwEpp3pJVbnUlA9ZmrEn7PPrqfnGyYxbgCbJ4
YTmS6x9GVEaqrJtfFjeSVkOiUTHrv/tR3Bl4WNbB9AROHRUl9iq3GXPCliKusyqu
PJVmJFaxUSTW0jOhx1fZNSiX9yPbjkp8Af2vJT4UPO1/33m9YS0=
=FIyJ
-----END PGP SIGNATURE-----
pgptWmEIElpG0.pgp
Description: PGP signature
--- End Message ---
