X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net
On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire
<j...@debian.org> wrote:
>
>
> You should be targetting `bullseye` in the most recent changelog; with that
> fixed, please go ahead.
>
> Thanks,
>
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Jonathan,
Thanks for reviewing the debdiff.
Here is a rev2 version that targets bullseye in the latest changelog. Please
confirm that this is what you meant. (It's the first time I go through this
process so want to make sure I don't make obvious mistakes.)
If it looks good, I will arrange for this to get uploaded.
Best,
Daniel
diff -Nru netatalk-3.1.12~ds/debian/changelog
netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.000000000 +0000
+++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.000000000 +0000
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high
+
+ * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+ closes: bug#1060773
+
+ -- Daniel Markstedt <dan...@mindani.net> Sat, 10 Feb 2024 23:49:31 +0000
+
netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
* Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01
00:00:00.000000000 +0000
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10
23:40:03.000000000 +0000
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt <dan...@mindani.net>
+Origin:
https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
++++ b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <sys/stat.h>
+
+ #include <errno.h>
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+- char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+- if (lstat(cfrombstr(dtpath), &st) != 0) {
+-
+- become_root();
++ become_root();
+
+- if (lstat(cfrombstr(olddtpath), &st) == 0) {
+- cmd_argv[0] = "mv";
+- cmd_argv[1] = bdata(olddtpath);
+- cmd_argv[2] = bdata(dtpath);
+- cmd_argv[3] = NULL;
+- if (run_cmd("mv", cmd_argv) != 0) {
+- LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" to \"%s\" failed",
++ if (lstat(cfrombstr(dtpath), &st) != 0) {
++ if ((lstat(cfrombstr(olddtpath), &st) == 0) && (S_ISDIR(st.st_mode)
!= 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++ LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++ LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found;
creating new dir \"%s\"",
++ bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+- unbecome_root();
+ }
+
++ unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series
netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series 2023-09-20 05:19:20.000000000
+0000
+++ netatalk-3.1.12~ds/debian/patches/series 2024-02-10 23:40:03.000000000
+0000
@@ -28,3 +28,4 @@
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
