Your message dated Sat, 31 Aug 2024 12:10:46 +0000
with message-id <e1skmwi-00gptt...@coccia.debian.org>
and subject line Close 1060774
has caused the Debian Bug report #1060774,
regarding bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk
Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995
Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
The attached patch can be applied to Debian oldstable to address the
vulnerability.
I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2
Sincerely,
Daniel Markstedt
From 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <dan...@mindani.net>
Date: Sun, 14 Jan 2024 14:26:19 +0900
Subject: [PATCH] Netatalk CVE-2022-22995 patch
---
debian/patches/CVE-2022-22995.patch | 63 +++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 64 insertions(+)
create mode 100644 debian/patches/CVE-2022-22995.patch
diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch
new file mode 100644
index 00000000..63101426
--- /dev/null
+++ b/debian/patches/CVE-2022-22995.patch
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt <dan...@mindani.net>
+Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
++++ b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <sys/stat.h>
+
+ #include <errno.h>
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+- char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+- if (lstat(cfrombstr(dtpath), &st) != 0) {
+-
+- become_root();
++ become_root();
+
+- if (lstat(cfrombstr(olddtpath), &st) == 0) {
+- cmd_argv[0] = "mv";
+- cmd_argv[1] = bdata(olddtpath);
+- cmd_argv[2] = bdata(dtpath);
+- cmd_argv[3] = NULL;
+- if (run_cmd("mv", cmd_argv) != 0) {
+- LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed",
++ if (lstat(cfrombstr(dtpath), &st) != 0) {
++ if ((lstat(cfrombstr(olddtpath), &st) == 0) && (S_ISDIR(st.st_mode) != 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++ LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++ LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"",
++ bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+- unbecome_root();
+ }
+
++ unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3f69b779..70f4bce8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
--
2.39.2
--- End Message ---
--- Begin Message ---
As this package was not uploaded in time for the final point release of
bullseye (11.11), the request is now closed.
--- End Message ---
