ALT-PU-2024-10857-3

Обновление пакета netatalk в ветке c10f1

Версия3.2.3-alt1

Задание#354589

Опубликовано2024-08-13

Макс. серьёзностьCRITICAL

Серьёзность:

Закрытые проблемы (5)

HIGH7.5

Уязвимость функции BN_bin2bn (etc/uams/uams_dhx_pam.c) реализации протокола Apple Filing Protocol Netatalk, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2024-06-28Изменено: 2025-11-05

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0ВЫСОКАЯ 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

Ссылки

CVE-2024-38440

CRITICAL9.8

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

Опубликовано: 2022-03-25Изменено: 2025-11-03

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CRITICAL9.8

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.

Опубликовано: 2024-06-16Изменено: 2025-11-03

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

HIGH7.5

Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=, rbuflen=) ... afp_over_dsi(obj=0x5555556154c0 ).' 2.4.1 and 3.1.19 are also fixed versions.

Опубликовано: 2024-06-16Изменено: 2025-11-03

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CRITICAL9.8

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.

Опубликовано: 2024-06-16Изменено: 2025-11-03

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки