Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire wrote: > > > You should be targetting `bullseye` in the most recent changelog; with that > fixed, please go ahead. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Thanks for reviewing the debdiff. Here is a rev2 version that targets bullseye in the latest changelog. Please confirm that this is what you meant. (It's the first time I go through this process so want to make sure I don't make obvious mistakes.) If it looks good, I will arrange for this to get uploaded. Best, Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tag -1 confirmed On Sun, Feb 11, 2024 at 12:29:09AM +, Daniel Markstedt wrote: > Please find a debdiff attached here. Is this adequate for doing the security > release? > > Thank you! > > Daniel > diff -Nru netatalk-3.1.12~ds/debian/changelog > netatalk-3.1.12~ds/debian/changelog > --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 > + > +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 > + > @@ -1,3 +1,10 @@ > +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high > + > + * Fix CVE-2022-22995. Harden create_appledesktop_folder. > +closes: bug#1060773 > + > + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + > + You should be targetting `bullseye` in the most recent changelog; with that fixed, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 - moreinfo On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire wrote: > > > Hi, > > On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > > > 2024年1月16日 (火) 02:53, Adam D. Barratt > > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt > > < 送信: > > > > > Control: tags -1 + moreinfo > > > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > > > > > > > CVE-2022-22995 > > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > > > > > > > The attached patch can be applied to Debian oldstable to address the > > > > vulnerability. > > > > > > In order to approve an upload, we need to see a full source debdiff of > > > the proposed new package, not just the isolated patch. Please remove > > > the moreinfo tag when providing that. > > > > Adam, thanks for following up on this request. > > I will work on a debdiff when I’m back home this coming weekend. > > Right now I’m working offsite without access to a personal computer. > > > Ping? It's now too late for 11.9 but your request can be considered for > 11.10 if you send a debdiff. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Please find a debdiff attached here. Is this adequate for doing the security release? Thank you! Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
2024年2月7日 (水) 03:06, Jonathan Wiltshire <[j...@debian.org](mailto:2024年2月7日 (水) 03:06, Jonathan Wiltshire < 送信: > Hi, > > On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: >> 2024年1月16日 (火) 02:53, Adam D. Barratt >> <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt <> href=)> 送信: >> >> > Control: tags -1 + moreinfo >> > >> > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: >> >> CVE-2022-22995 >> >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php >> >> >> >> The attached patch can be applied to Debian oldstable to address the >> >> vulnerability. >> >> >> > >> > In order to approve an upload, we need to see a full source debdiff of >> > the proposed new package, not just the isolated patch. Please remove >> > the moreinfo tag when providing that. >> >> Adam, thanks for following up on this request. >> I will work on a debdiff when I’m back home this coming weekend. >> Right now I’m working offsite without access to a personal computer. > > Ping? It's now too late for 11.9 but your request can be considered for > 11.10 if you send a debdiff. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Thank you for the ping, and apologies for leaving you hanging. I have been working offsite for my employer more than anticipated lately, with small windows of opportunity for side projects. I’m planning to return home tomorrow so if nothing unexpected happens I will have something for you shortly! Best regards, Daniel
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Hi, On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > 2024年1月16日 (火) 02:53, Adam D. Barratt > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < href=)> 送信: > > > Control: tags -1 + moreinfo > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > >> CVE-2022-22995 > >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > >> > >> The attached patch can be applied to Debian oldstable to address the > >> vulnerability. > >> > > > > In order to approve an upload, we need to see a full source debdiff of > > the proposed new package, not just the isolated patch. Please remove > > the moreinfo tag when providing that. > > Adam, thanks for following up on this request. > I will work on a debdiff when I’m back home this coming weekend. > Right now I’m working offsite without access to a personal computer. Ping? It's now too late for 11.9 but your request can be considered for 11.10 if you send a debdiff. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
2024年1月16日 (火) 02:53, Adam D. Barratt <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < 送信: > Control: tags -1 + moreinfo > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: >> CVE-2022-22995 >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php >> >> The attached patch can be applied to Debian oldstable to address the >> vulnerability. >> > > In order to approve an upload, we need to see a full source debdiff of > the proposed new package, not just the isolated patch. Please remove > the moreinfo tag when providing that. Adam, thanks for following up on this request. I will work on a debdiff when I’m back home this coming weekend. Right now I’m working offsite without access to a personal computer. >> I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds- >> 8+deb11u2 > > I'm not entirely sure what you mean by an "out-of-release-cycle upload" > here. > > Regards, > > Adam Please disregard the above; I got confused with the Ubuntu process. Sincerely, Daniel
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 + moreinfo On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > CVE-2022-22995 > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > The attached patch can be applied to Debian oldstable to address the > vulnerability. > In order to approve an upload, we need to see a full source debdiff of the proposed new package, not just the isolated patch. Please remove the moreinfo tag when providing that. > I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds- > 8+deb11u2 I'm not entirely sure what you mean by an "out-of-release-cycle upload" here. Regards, Adam
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995 Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php The attached patch can be applied to Debian oldstable to address the vulnerability. I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2 Sincerely, Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Sun, 14 Jan 2024 14:26:19 +0900 Subject: [PATCH] Netatalk CVE-2022-22995 patch --- debian/patches/CVE-2022-22995.patch | 63 + debian/patches/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 debian/patches/CVE-2022-22995.patch diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch new file mode 100644 index ..63101426 --- /dev/null +++ b/debian/patches/CVE-2022-22995.patch @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff --git a/debian/patches/series b/debian/patches/series index 3f69b779..70f4bce8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch -- 2.39.2