Bugzilla – Bug 1197352
VUL-0: CVE-2021-31439,CVE-2022-23121,CVE-2022-23122,CVE-2022-23123,CVE-2022-23124,CVE-2022-23125,CVE-2022-0194: netatalk: Multiple vulnerability
Last modified: 2022-10-04 10:40:57 UTC
There is currently a new batch of vulnerabilities in Netatalk that we are expecting to be released in the upcoming days. The list of new CVEs (provided by ZDI) is included here, and there may be others to follow. CVE-2022-23125 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. CVE-2022-23124 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. CVE-2022-23123 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. CVE-2022-23122 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. CVE-2022-23121 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. CVE-2022-0194 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
Already public: https://netatalk.sourceforge.io/
https://github.com/Netatalk/Netatalk/commits/master Patches are there yet.
From d801ed421800bcd5df9045f7327c92cd4fc944aa Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Thu, 10 Mar 2022 16:12:30 +0100 Subject: [PATCH] CVE-2022-23125: harden copyapplfile() Signed-off-by: Ralph Boehme <slow@samba.org From 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Thu, 10 Mar 2022 13:24:28 +0100 Subject: [PATCH] CVE-2022-23123: libatalk: harden ad_entry() Also fixes: - CVE-2022-23122 - CVE-2022-23124 - CVE-2022-0194 Signed-off-by: Ralph Boehme <slow@samba.org> From a6fbccb0f2478108add188df023cfbb7428aac33 Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Thu, 10 Mar 2022 13:30:36 +0100 Subject: [PATCH] CVE-2022-23123: libatalk: add defines for icon lengths From https://www.ietf.org/rfc/rfc1740.txt Signed-off-by: Ralph Boehme <slow@samba.org> From 0c0465e4e85a27105b61b3918df8f8df0565367c Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Thu, 10 Mar 2022 13:06:44 +0100 Subject: [PATCH] CVE-2022-23121: apply hardening to parse_entries() - pass in the size of the valid data we read from disk - drop redundant buf argument - early exit if bounds check fails Signed-off-by: Ralph Boehme <slow@samba.org> From 62d4013c62be3b1b4a14f37057cb1c8f393c5fd1 Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Thu, 10 Mar 2022 12:38:53 +0100 Subject: [PATCH] CVE-2022-23121: libatalk: apply some hardening to ad_header_read[_osx]() - check there are not more then 16 AppleDouble entries - simplify check the AD entries fit into the read buffer - fail if parse_entries() returns an error Signed-off-by: Ralph Boehme <slow@samba.org> From 779717df2ed39b701deaf2472b42d59ff50fab7f Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Mon, 22 Nov 2021 05:32:46 +0100 Subject: [PATCH] CVE-2021-31439: libatalk: apply limit checking to DSI write offset Signed-off-by: Ralph Boehme <slow@samba.org>
(In reply to Petr Gajdos from comment #13) > From 779717df2ed39b701deaf2472b42d59ff50fab7f Mon Sep 17 00:00:00 2001 > From: Ralph Boehme <slow@samba.org> > Date: Mon, 22 Nov 2021 05:32:46 +0100 > Subject: [PATCH] CVE-2021-31439: libatalk: apply limit checking to DSI write > offset > > Signed-off-by: Ralph Boehme <slow@samba.org> Please also add CVE-2021-31439 to the list of the security-bugs that need to be fixed.
Package 12/netatalk submitted.
I believe all fixed.
(In reply to Petr Gajdos from comment #17) > I believe all fixed. I don't see CVE-2022-23123 mentioned in the changes file.
(In reply to Gianluca Gabrielli from comment #19) > (In reply to Petr Gajdos from comment #17) > > I believe all fixed. > > I don't see CVE-2022-23123 mentioned in the changes file. Thanks for the catch. That is an example why I prefer one bug per CVE, I would see submit request referenced as a comment in the bugs and would notice that there is none in one of them. While we are on that, https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-23125 is only that is working. Resubmitted.
There seems regression after updating. server: ------- systemctl start netatalk # cat /etc/netatalk/afp.conf [Global] [TEMP] path = /mnt valid users = atanno On the client : --------------- Download the following files on the client : afpfs-ng-0.8.1.tar.bz2 from https://sourceforge.net/projects/afpfs-ng/ Decompress the tarball : # tar jxvf afpfs-ng-0.8.1.tar.bz2 Download the patch that corrects a bug that prevents this client from connecting to the server, this patch can be found on the following link : https://launchpadlibrarian.net/97950648/connect_timeout_fix.diff Patch the sources for afpfs-ng client : # patch -p0 < connect_timeout_fix.diff Install the following dependencies to build the client package with encryption ( or else it will not work ). # zypper in libgcrypt-devel gmp-devel fuse-devel Build the client : # cd afpfs-ng-0.8.1 # configure --prefix=/usr/local/afpfs # make && make install The build process will install everything under /usr/local/afpfs. Start "afpfsd" # /usr/local/afpfs/bin/afpfsd Attempt to mount "TEMP" exported on the server under /mnt on the client sles12sp5:/tmp/afpfs-ng-0.8.1 # /usr/local/afpfs/bin/mount_afp afp://atanno:xyz1234@myserver/TEMP /mnt Mounting myserver from TEMP on /mnt Volume TEMP does not support fixed directories Could not mount volume TEMP
@Petr: can you have a look at the above please ?
Are these systems available to me or should I try to setup own? How?
(In reply to Petr Gajdos from comment #24) > Are these systems available to me or should I try to setup own? How? hi, you can find two sle12sp5 machines, one for server, and the other for client. I use s390vsl048.suse.de for server, and the client is a virtual machine in my workstation. the setup details are described above.
(In reply to Liu Shukui from comment #25) > (In reply to Petr Gajdos from comment #24) > > Are these systems available to me or should I try to setup own? How? > > hi, you can find two sle12sp5 machines, one for server, and the other for > client. > > I use s390vsl048.suse.de for server, and the client is a virtual machine in > my workstation. > > the setup details are described above. Thanks, I am on s390vsl048.suse.de. Could you help me understand how the client system should look like? Except the steps in comment 22 of course, I am able to replicate them, but I guess I am doing something wrong in reproducing.
For example :/usr/local/afpfs # /usr/local/afpfs/bin/afpfsd -f error in libgcrypt, file drbg.c, line 1809, function _gcry_drbg_randomize: DRBG is not initialized error in libgcrypt, file visibility.c, line 1161, function gcry_md_hash_buffer: called in non-operational state Fatal: Every time you use MD5 god kills a kitten. How many more have to die? fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) :/usr/local/afpfs # # /usr/local/afpfs/bin/mount_afp afp://atanno:xyz1234@s390vsl048.suse.de/TEMP /mnt Dropped connection #
I see this in the syslog: 2022-03-24T14:51:19.153970+01:00 s390vsl048 afpd[31242]: AFP3.2 Login by atanno 2022-03-24T14:51:20.915539+01:00 s390vsl048 afpd[31242]: =============================================================== 2022-03-24T14:51:20.915875+01:00 s390vsl048 afpd[31242]: INTERNAL ERROR: Signal 11 in pid 31242 (3.1.0) 2022-03-24T14:51:20.915964+01:00 s390vsl048 afpd[31242]: =============================================================== 2022-03-24T14:51:20.916043+01:00 s390vsl048 afpd[31242]: PANIC: internal error 2022-03-24T14:51:20.916129+01:00 s390vsl048 afpd[31242]: BACKTRACE: 12 stack frames: 2022-03-24T14:51:20.916207+01:00 s390vsl048 afpd[31242]: #0 /usr/lib64/libatalk.so.12(netatalk_panic+0x22) [0x3ff870be742] 2022-03-24T14:51:20.916285+01:00 s390vsl048 afpd[31242]: #1 /usr/lib64/libatalk.so.12(+0x3e87a) [0x3ff870be87a] 2022-03-24T14:51:20.916364+01:00 s390vsl048 afpd[31242]: #2 [0x3ffc447d956] 2022-03-24T14:51:20.916441+01:00 s390vsl048 afpd[31242]: #3 /usr/lib64/libatalk.so.12(+0x1d426) [0x3ff8709d426] 2022-03-24T14:51:20.916523+01:00 s390vsl048 afpd[31242]: #4 /usr/lib64/libatalk.so.12(ad_open+0x12c4) [0x3ff8709f31c] 2022-03-24T14:51:20.916601+01:00 s390vsl048 afpd[31242]: #5 /usr/sbin/afpd(+0x36a9a) [0x2aa1a0b6a9a] 2022-03-24T14:51:20.916683+01:00 s390vsl048 afpd[31242]: #6 /usr/sbin/afpd(+0x377d6) [0x2aa1a0b77d6] 2022-03-24T14:51:20.916763+01:00 s390vsl048 afpd[31242]: #7 /usr/sbin/afpd(afp_openvol+0x68a) [0x2aa1a0b821a] 2022-03-24T14:51:20.916841+01:00 s390vsl048 afpd[31242]: #8 /usr/sbin/afpd(afp_over_dsi+0x606) [0x2aa1a091dbe] 2022-03-24T14:51:20.916917+01:00 s390vsl048 afpd[31242]: #9 /usr/sbin/afpd(main+0xc92) [0x2aa1a08f3aa] 2022-03-24T14:51:20.916995+01:00 s390vsl048 afpd[31242]: #10 /lib64/libc.so.6(__libc_start_main+0x112) [0x3ff86c29cc2] 2022-03-24T14:51:20.917079+01:00 s390vsl048 afpd[31242]: #11 /usr/sbin/afpd(+0xf48c) [0x2aa1a08f48c] This is AFTER and not BEFORE, right?
(In reply to Petr Gajdos from comment #28) > I see this in the syslog: > > 2022-03-24T14:51:19.153970+01:00 s390vsl048 afpd[31242]: AFP3.2 Login by > atanno > 2022-03-24T14:51:20.915539+01:00 s390vsl048 afpd[31242]: > =============================================================== > 2022-03-24T14:51:20.915875+01:00 s390vsl048 afpd[31242]: INTERNAL ERROR: > Signal 11 in pid 31242 (3.1.0) > 2022-03-24T14:51:20.915964+01:00 s390vsl048 afpd[31242]: > =============================================================== > 2022-03-24T14:51:20.916043+01:00 s390vsl048 afpd[31242]: PANIC: internal > error > 2022-03-24T14:51:20.916129+01:00 s390vsl048 afpd[31242]: BACKTRACE: 12 stack > frames: > 2022-03-24T14:51:20.916207+01:00 s390vsl048 afpd[31242]: #0 > /usr/lib64/libatalk.so.12(netatalk_panic+0x22) [0x3ff870be742] > 2022-03-24T14:51:20.916285+01:00 s390vsl048 afpd[31242]: #1 > /usr/lib64/libatalk.so.12(+0x3e87a) [0x3ff870be87a] > 2022-03-24T14:51:20.916364+01:00 s390vsl048 afpd[31242]: #2 [0x3ffc447d956] > 2022-03-24T14:51:20.916441+01:00 s390vsl048 afpd[31242]: #3 > /usr/lib64/libatalk.so.12(+0x1d426) [0x3ff8709d426] > 2022-03-24T14:51:20.916523+01:00 s390vsl048 afpd[31242]: #4 > /usr/lib64/libatalk.so.12(ad_open+0x12c4) [0x3ff8709f31c] > 2022-03-24T14:51:20.916601+01:00 s390vsl048 afpd[31242]: #5 > /usr/sbin/afpd(+0x36a9a) [0x2aa1a0b6a9a] > 2022-03-24T14:51:20.916683+01:00 s390vsl048 afpd[31242]: #6 > /usr/sbin/afpd(+0x377d6) [0x2aa1a0b77d6] > 2022-03-24T14:51:20.916763+01:00 s390vsl048 afpd[31242]: #7 > /usr/sbin/afpd(afp_openvol+0x68a) [0x2aa1a0b821a] > 2022-03-24T14:51:20.916841+01:00 s390vsl048 afpd[31242]: #8 > /usr/sbin/afpd(afp_over_dsi+0x606) [0x2aa1a091dbe] > 2022-03-24T14:51:20.916917+01:00 s390vsl048 afpd[31242]: #9 > /usr/sbin/afpd(main+0xc92) [0x2aa1a08f3aa] > 2022-03-24T14:51:20.916995+01:00 s390vsl048 afpd[31242]: #10 > /lib64/libc.so.6(__libc_start_main+0x112) [0x3ff86c29cc2] > 2022-03-24T14:51:20.917079+01:00 s390vsl048 afpd[31242]: #11 > /usr/sbin/afpd(+0xf48c) [0x2aa1a08f48c] > > > This is AFTER and not BEFORE, right? YES. This is AFTER.
(In reply to Petr Gajdos from comment #27) > For example > > :/usr/local/afpfs # /usr/local/afpfs/bin/afpfsd -f > error in libgcrypt, file drbg.c, line 1809, function _gcry_drbg_randomize: > DRBG is not initialized > error in libgcrypt, file visibility.c, line 1161, function > gcry_md_hash_buffer: called in non-operational state > Fatal: Every time you use MD5 god kills a kitten. How many more have to die? > fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv: > internal error (fatal or bug) > Aborted (core dumped) > :/usr/local/afpfs # > > # /usr/local/afpfs/bin/mount_afp > afp://atanno:xyz1234@s390vsl048.suse.de/TEMP /mnt > Dropped connection > # sorry, I haven't encountered this problem(core dumped). there is no output here: s12sp5:~ # /usr/local/afpfs/bin/afpfsd -f s12sp5:~ #
Needinfo provided privately.
I have found so far: (1) The culprit of the regression is https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d (2) The same behavior is in 3.1.13, too. (3) 3.1.13 + revert of 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d will make the testcase work again.
Is that specific to s390x?
(In reply to Petr Gajdos from comment #33) > Is that specific to s390x? No, x86_64 has the same issue.
There is a thread in upstrem mailinglist describing this issue: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074
No news at https://github.com/Netatalk/Netatalk .
(In reply to Petr Gajdos from comment #36) > No news at https://github.com/Netatalk/Netatalk . Hi, How can we deal with this update? reject?
(In reply to Liu Shukui from comment #37) > (In reply to Petr Gajdos from comment #36) > > No news at https://github.com/Netatalk/Netatalk . > > Hi, How can we deal with this update? reject? Do we know which patch might have caused it ? Potentially we could back out some of the changes, so that we fix some of the CVEs atleast. Not sure if that would be a feasible option Petr.
(In reply to Robert Frohl from comment #38) > (In reply to Liu Shukui from comment #37) > > (In reply to Petr Gajdos from comment #36) > > > No news at https://github.com/Netatalk/Netatalk . > > > > Hi, How can we deal with this update? reject? > > Do we know which patch might have caused it ? just saw that it likely is https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
(In reply to Liu Shukui from comment #37) > (In reply to Petr Gajdos from comment #36) > > No news at https://github.com/Netatalk/Netatalk . > > Hi, How can we deal with this update? reject? Yes. The regression is confirmed by upstream.
(In reply to Robert Frohl from comment #39) > just saw that it likely is > https://github.com/Netatalk/Netatalk/commit/ > 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d Yes, it is netatalk-CVE-2022-23123,23122,23124,0194.patch
No info required anymore.
(In reply to Petr Gajdos from comment #42) > No info required anymore. sorry (In reply to Petr Gajdos from comment #41) > (In reply to Robert Frohl from comment #39) > > just saw that it likely is > > https://github.com/Netatalk/Netatalk/commit/ > > 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d > > Yes, it is netatalk-CVE-2022-23123,23122,23124,0194.patch I would say we go with a partial fix for this bug for now. If there is no movement upstream this will likely take a while, the issues are serious enough to try and have at least some of them fixed IMO.
Fix of CVE-2021-31439, CVE-2022-23121 and CVE-2022-23125 is submitted for 12/netatalk. Rest of CVEs listed in this bug and CVE-2022-22995 (bsc#1197576) is currently unfixed.
SUSE-SU-2022:1184-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1197352 CVE References: CVE-2021-31439,CVE-2022-23121,CVE-2022-23125 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): netatalk-3.1.0-3.8.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): netatalk-3.1.0-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
No news in upstream repo.