netatalk Revisit CVE-2022-23121, CVE-2022-23123 regression fixes by @andychen-syno and @anodos325

Revisit CVE-2022-23121, CVE-2022-23123 regression fixes by @andychen-syno and @anodos325

Open dgsga opened this issue 1 year ago • 2 comments

Added guard check before access ad_entry()
Allow zero length entry in compliance with AppleDouble specification
Avoid setting adouble entries on symlinks

May 19 '24 13:05 dgsga

@rdmark, this commit implements @andychen-syno's original 2022 CVE patches along with @anodos325's patch to avoid setting adouble entries on symlinks. This gives the best of both worlds with a much cleaner log, especially on classic Mac clients.

May 19 '24 13:05 ghost

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

May 19 '24 13:05 sonarqubecloud[bot]

@dgsga Sorry it's taking a while to wrap my head around this changeset. I trust your judgement of course, but I also want to internalize the logic changes.

May 20 '24 09:05 rdmark

No worries, if you find any flaws please feed back. This PR is definitely optional!

May 20 '24 19:05 ghost

Reverted this PR to draft as want to do more research...

May 22 '24 19:05 ghost

netatalk netatalk copied to clipboard

Revisit CVE-2022-23121, CVE-2022-23123 regression fixes by @andychen-syno and @anodos325

Quality Gate passed

netatalk
netatalk copied to clipboard