Vulnerability CVE-2022-43634: Information

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17646.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-43634
Published: March 29, 2023
Modified: Nov. 7, 2023
Error type identifier: CWE-122

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
netatalksisyphus3.1.17-alt13.1.18-alt1ALT-PU-2023-5918-1330497Fixed
netatalksisyphus_e2k3.1.17-alt13.1.18-alt1ALT-PU-2023-5965-1-Fixed
netatalksisyphus_riscv643.1.17-alt13.1.18-alt1ALT-PU-2023-6059-1-Fixed
netatalkp103.1.17-alt13.1.17-alt1ALT-PU-2023-5933-3330507Fixed
netatalkp10_e2k3.1.17-alt13.1.17-alt1ALT-PU-2023-6049-1-Fixed
netatalkc10f13.1.17-alt13.1.17-alt1ALT-PU-2023-5932-3330506Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/Netatalk/Netatalk/pull/186
  • Patch
https://www.zerodayinitiative.com/advisories/ZDI-23-094/
  • Third Party Advisory
  • VDB Entry
[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
    DSA-5503
      FEDORA-2023-aaeb45fb73
        FEDORA-2023-e714897e70
          FEDORA-2023-599faf1b1c

              1. Configuration 1

                cpe:2.3:a:netatalk:netatalk:3.1.13:*:*:*:*:*:*:*
            VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
            Version: v24.5.0
            Back to top