On Thu, May 25, 2023 at 3:39 AM Markus Koschany <a...@debian.org> wrote: > > Hello Daniel, > > Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso: > > > > > > These two commits in upstream addressed this: > > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b > > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 > > Both patches have been backported to Buster. You can find them as CVE-2022- > 23123_part3.patch and CVE-2022-23123_part4.patch. > > Did we miss something else? > > Regards, > > Markus
Salvatore, Markus, Thank you very much for taking swift action on this! Please forgive my ignorance here, but are these patches active already if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster? Or do they have to be picked up by some build process that hasn't run yet? I'm asking because I ran a few tests now and while EA metadata works, the appledouble v2 metadata functionality is definitely broken, even when you create a new shared volume from scratch. dmark@buster:~$ apt show netatalk Package: netatalk Version: 3.1.12~ds-3+deb10u1 ... May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path, ad, pst) failed: Input/output error May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23 at 10.36.39 AM.png): bad resource fork May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, len: 8 May 25 18:51:08 buster afpd[7415]: ad_header_read(/home/dmark/afp-data): malformed AppleDouble So either more patches have to be cherry-picked or I need to be patient. :)
