CVE-2022-43634

CVE-2022-43634

Name

CVE-2022-43634

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17646.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/Netatalk/Netatalk/pull/186
MISC	https://www.zerodayinitiative.com/advisories/ZDI-23-094/
MLIST	https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html
DEBIAN	https://www.debian.org/security/2023/dsa-5503
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZYWSGVA6WXREMB6PV56HAHKU7R6KPOP/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SG6WZW5LXFVH3P7ZVZRGHUVJEMEFKQLI/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GEAFLA5L2SHOUFBAGUXIF2TZLGBXGJKT/

Type

URI

MISC

https://github.com/Netatalk/Netatalk/pull/186

MISC

https://www.zerodayinitiative.com/advisories/ZDI-23-094/

MLIST

https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html

DEBIAN

https://www.debian.org/security/2023/dsa-5503

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZYWSGVA6WXREMB6PV56HAHKU7R6KPOP/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SG6WZW5LXFVH3P7ZVZRGHUVJEMEFKQLI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GEAFLA5L2SHOUFBAGUXIF2TZLGBXGJKT/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:netatalk:netatalk:3.1.13:::::::*`	netatalk	== None	== 3.1.13

CPE URI

Source package

Min version

Max version

cpe:2.3:a:netatalk:netatalk:3.1.13:*:*:*:*:*:*:*

netatalk

== None

== 3.1.13

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
netatalk	edge-community	3.1.15-r0	Alexander Rigbo <alex@dnb.nu>	fixed
netatalk	edge-community	3.1.13-r0	Alexander Rigbo <alex@dnb.nu>	possibly vulnerable
netatalk	3.22-community	3.1.15-r0	None	fixed
netatalk	3.22-community	3.1.13-r0	None	possibly vulnerable
netatalk	3.21-community	3.1.15-r0	None	fixed
netatalk	3.20-community	3.1.15-r0	None	fixed
netatalk	3.19-community	3.1.15-r0	None	fixed
netatalk	3.18-community	3.1.15-r0	Alexander Rigbo <alex@dnb.nu>	fixed
netatalk	3.17-community	3.1.15-r0	Alexander Rigbo <alex@dnb.nu>	fixed

Source package

Branch

Version

Maintainer

Status

netatalk

edge-community

3.1.15-r0

Alexander Rigbo <alex@dnb.nu>

fixed

netatalk

edge-community