Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afp/directory.c. https://github.com/Netatalk/netatalk/issues/1098 Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. https://github.com/Netatalk/netatalk/issues/1097 Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. https://github.com/Netatalk/netatalk/issues/1096
Created netatalk tracking bugs for this issue: Affects: epel-all [bug 2292819] Affects: fedora-all [bug 2292818]
The github issues mentioned in this bug were moved to the Security tab of the upstream project: CVE-2024-38439 https://github.com/Netatalk/netatalk/security/advisories/GHSA-8r68-857c-4rqc CVE-2024-38440 https://github.com/Netatalk/netatalk/security/advisories/GHSA-mxx4-9fhm-r3w5 CVE-2024-38441 https://github.com/Netatalk/netatalk/security/advisories/GHSA-mj6v-cr68-mj9q These have all been fixed in the 3.2.1 release. I will push new packages as soon as I am able (1-2 days).