Bug#1043504: Another regression fix for CVE-2022-23123

To: submit@bugs.debian.org
Subject: Bug#1043504: Another regression fix for CVE-2022-23123
From: Daniel Markstedt <markstedt@gmail.com>
Date: Fri, 11 Aug 2023 22:45:15 -0700
Message-id: <[🔎] CAKnbzosd-zrnFKn0mohhTYefTzcGMQnRC7WZJQuXijYqg6ZOtw@mail.gmail.com>
Reply-to: Daniel Markstedt <markstedt@gmail.com>, 1043504@bugs.debian.org

Package: netatalk
Version: 3.1.12~ds-3+deb10u2
X-Debbugs-Cc: team@security.debian.org,debian-lts@lists.debian.org

Dear Debian Security team,

Would you be able to help me get the following critical regression fix
into the Buster netatalk package?

The regression was introduced with the patch for CVE-2022-23123 and is
impacting a subset of users that have certain metadata in their shared
files. The issue leads to an unavoidable crash and renders netatalk
useless with their shared volumes.

Separately, it also contains a fix for saving MS Office files onto an
otherwise functioning shared volume.

This is the commit with the fix in question:
https://github.com/Netatalk/netatalk/commit/7dbde0ce704be7fbdb23e893e05cedced337350d

See this PR for discussion and links back to the user reported issue tickets:
https://github.com/Netatalk/netatalk/pull/178

See also Bug#1036740 for the previous batch of regression fixes for
the same CVE.

Thank you!

Reply to:

Follow-Ups:
- Re: Bug#1043504: Another regression fix for CVE-2022-23123
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: firefox on buster
Next by Date: Debian (E)LTS report for June 2023
Previous by thread: Re: firefox on buster
Next by thread: Re: Bug#1043504: Another regression fix for CVE-2022-23123
Index(es):
- Date
- Thread