Bug 13711 - (CVE-2018-1160) [Not Samba] [NETATALK] Unauthenticated remote code execution in Netatalk
(CVE-2018-1160)
[Not Samba] [NETATALK] Unauthenticated remote code execution in Netatalk
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
unspecified
All All
: P5 normal
: ---
Assigned To: Ralph Böhme
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-13 21:24 UTC by Ralph Böhme
Modified: 2018-12-21 07:42 UTC (History)
6 users (show)

See Also:


Attachments
Prepared advisory text for CVE-2018-1160 (1.24 KB, text/plain)
2018-12-13 21:29 UTC, Ralph Böhme
slow: review? (asn)
jra: review+
abartlet: review+
Details
Patch for master (5.35 KB, patch)
2018-12-13 21:37 UTC, Ralph Böhme
no flags Details
Patch for 3.1 (5.48 KB, patch)
2018-12-13 21:38 UTC, Ralph Böhme
no flags Details
Patch for 2.0.x (2.44 KB, patch)
2018-12-19 13:57 UTC, Petr Gajdos
slow: review+
Details
Patch for 2.2 (5.40 KB, patch)
2018-12-19 16:48 UTC, Ralph Böhme
slow: review? (hat)
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Ralph Böhme 2018-12-13 21:29:39 UTC
Created attachment 14735 [details]
Prepared advisory text for CVE-2018-1160
Comment 2 Ralph Böhme 2018-12-13 21:37:32 UTC
Created attachment 14736 [details]
Patch for master
Comment 3 Ralph Böhme 2018-12-13 21:38:08 UTC
Created attachment 14737 [details]
Patch for 3.1
Comment 4 Andrew Bartlett 2018-12-13 22:00:07 UTC
Comment on attachment 14735 [details]
Prepared advisory text for CVE-2018-1160

Advisory looks good to me.  All the best with the security release!
Comment 5 Ralph Böhme 2018-12-13 22:04:17 UTC
(In reply to Andrew Bartlett from comment #4)
Thanks!

Not Samba, rofl... ;)
Comment 6 Jeremy Allison 2018-12-14 00:07:19 UTC
Comment on attachment 14735 [details]
Prepared advisory text for CVE-2018-1160

A few tiny grammar errors around plurals, but nothing to stop ship. LGTM.
Comment 7 Ralph Böhme 2018-12-14 07:59:03 UTC
Release is planned for Thursday 20th of December 2018.
Comment 8 Andrew Bartlett 2018-12-14 08:14:11 UTC
For those a little confused by this mail, please let me explain.

As you can see the the advisory here, a serious security issue has been identified in Netatalk.  Netatalk like Samba is often installed to share files (with Apple Mac clients), and it was felt that by forwarding the information here we might efficiently and securely reach affected vendors.

For those confused, please be clear it is NOT an issue in Samba.  

However given Ralph's long association with and membership of the Samba Team, we felt it appropriate to aid him, and if you are such a vendor te hope you, in this way.
Comment 9 Petr Gajdos 2018-12-19 13:57:11 UTC
Created attachment 14747 [details]
Patch for 2.0.x

Hello Ralph,

thank you for 3.x patches. Is there any patch for 2.x? I attempted to create one, it looks very simlar to patch for 3.1 except dsi->cmdlen calculation and 'AFP replaycache size option' section omission. Is it correct?
Comment 10 Ralph Böhme 2018-12-19 16:48:50 UTC
Created attachment 14748 [details]
Patch for 2.2
Comment 11 Ralph Böhme 2018-12-19 16:49:45 UTC
(In reply to Petr Gajdos from comment #9)
I provided an "official" patch for 2.2.
Comment 12 Petr Gajdos 2018-12-20 13:23:33 UTC
(In reply to Ralph Böhme from comment #11)
Ralph, apologize, yes, I forgot to specify the exact version against the patch was created: 2.0.3. Thank you anyway!
Comment 13 Andrew Walker 2018-12-20 14:55:28 UTC
Will this ticket be updated when we are clear to release? Where will the official notification regarding the issue be posted?
Comment 14 Ralph Böhme 2018-12-20 15:07:06 UTC
(In reply to Andrew Walker from comment #13)
Netatalk 3.1.12 has just been released to address this issue. The release was announced via the usual Netatalk mailing lists.

The CVE description should appear soon on the MITRE site:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1160

Thanks everyone who helped getting this out!
Comment 15 Ralph Böhme 2018-12-20 15:08:12 UTC
Comment on attachment 14747 [details]
Patch for 2.0.x

Patch looks good to me.
Comment 16 Petr Gajdos 2018-12-21 07:42:53 UTC
(In reply to Ralph Böhme from comment #15)
Ralph, thank you for the review!