Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1117453,
regarding trixie-pu: package netatalk/4.2.3~ds-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117453
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
Tags: trixie
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Hi release team, I am proposing a trixie package update for netatalk.
This is for fixing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111652
At least two users are blocked from using the trixie netatalk package,
and many more are likely affected because authentication through
ActiveDirectory or any centralized identity management using PAM
is broken.
Attaching a debdiff that can be applied to netatalk/4.2.3~ds-1
diff --git a/debian/changelog b/debian/changelog
index e22bd2216..5a343dbe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+netatalk (4.2.3~ds-1+deb13u1) trixie; urgency=high
+
+ [ Daniel Markstedt ]
+ * add patch that fixes critical bug in uam module;
+ closes: bug#1111652, thanks to Stefan van Lieshout and
+ Hector Rulot
+
+ -- Daniel Markstedt <[email protected]> Sun, 05 Oct 2025 21:11:55 +0000
+
netatalk (4.2.3~ds-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/001_uams_non_reentrant.patch
b/debian/patches/001_uams_non_reentrant.patch
new file mode 100644
index 000000000..b64c01704
--- /dev/null
+++ b/debian/patches/001_uams_non_reentrant.patch
@@ -0,0 +1,74 @@
+Description: Revert to non-reentrant getpwnam() in the uam module
+ Since afpd isn't a threading application,
+ there is no pressing need to use the reentrant-safe way
+ to fetch the passwd entry in uam_getname().
+ The reverted solution
had flaws
+ that led to a critical failure
+ when attempting to authenticate
+ in a complex ActiveDirectory environment.
+Author: Daniel Markstedt <[email protected]>
+Bug: https://github.com/Netatalk/netatalk/issues/2402
+Last-Update: 2025-09-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/uam.c
++++ b/etc/afpd/uam.c
+@@ -193,7 +193,6 @@
+ {
+ AFPObj *obj = private;
+ struct passwd *pwent = NULL;
+- struct passwd pwent_buf;
+ static char username[256];
+ static char user[256];
+ static char pwname[256];
+@@ -201,23 +200,13 @@
+ size_t namelen;
+ size_t gecoslen = 0;
+ size_t pwnamelen = 0;
+-
+- long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+- if (bufsize == -1) {
+- bufsize = 16384;
+- }
+- char *buffer = malloc(bufsize);
+- if (buffer == NULL) {
+- free(buffer);
+- return NULL;
+- }
+-
+ #ifdef HAVE_GETPWNAM_SHADOW
+- if (pwent =
getpwnam_shadow(name)) {
++ pwent = getpwnam_shadow(name);
+ #else
+- if (getpwnam_r(name, &pwent_buf, buffer, sizeof(buffer), &pwent) == 0 &&
pwent != NULL) {
+- free(buffer);
++ pwent = getpwnam(name);
+ #endif
++
++ if (pwent) {
+ return pwent;
+ }
+
+@@ -231,7 +220,7 @@
+
+ if (bdata(princ) != NULL) {
+ const char *bdatum = bdata(princ);
+- getpwnam_r(bdatum, &pwent_buf, buffer, sizeof(buffer), &pwent);
++ pwent = getpwnam(bdatum);
+ }
+ bdestroy(princ);
+
+@@ -242,13 +231,10 @@
+ } else {
+ LOG(log_error, logtype_uams, "The name '%s' is longer than
%d", pwent->pw_name, MAXUSERLEN);
+ }
+- free(buffer);
+ return pwent;
+ }
+ }
+
+- free(buffer);
+-
+ namelen =
convert_string((utf8_encoding(obj))?CH_UTF8_MAC:obj->options.maccharset,
+ CH_UCS2, name,
-1, username, sizeof(username));
+ if (namelen == -1)
diff --git a/debian/patches/series b/debian/patches/series
index cb6afea6c..5e10942dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+001_uams_non_reentrant.patch
202_privacy.patch
publickey - Daniel Markstedt - 0x3C47642E.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
