CVE-2022-45188: 
NixOS vulnerability analysis and mitigation

Netatalk through version 3.1.13 contains a heap-based buffer overflow vulnerability in the afp_getappl function that allows remote code execution via a crafted .appl file. The vulnerability was discovered in late 2022 and assigned CVE-2022-45188. This vulnerability is particularly severe as it can provide remote root access on some platforms such as FreeBSD systems running TrueNAS (NVD, CVE).

The vulnerability exists in the afpgetappl function where a heap-based buffer overflow can occur when processing .appl files. The issue stems from improper handling of the len variable, which is parsed from 2 bytes (ushort type) and can be set to 0xffff at maximum, while the destination buffer (obj->oldtmp) is limited to AFPOBJ_TMPSIZ (4096 bytes). This mismatch allows an attacker to overflow the heap buffer. The vulnerability can be triggered by crafting a specific .appl file and sending an AFP packet with a carefully chosen aindex value (Rush Analysis).

The vulnerability has a high severity impact with a CVSS 3.1 base score of 7.8. When successfully exploited, it allows attackers to execute arbitrary code with root privileges on affected systems, particularly on FreeBSD-based systems like TrueNAS. The vulnerability can lead to complete system compromise, allowing unauthorized access and control over the affected server (Ubuntu).

The vulnerability has been patched in Netatalk version 3.1.14 and later releases. Users and administrators are strongly advised to upgrade to the latest version. Multiple Linux distributions have released security updates to address this vulnerability, including Debian (3.1.12~ds-8+deb11u1), Ubuntu, and Fedora (Debian Security, Fedora Update).