Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire wrote: > > > You should be targetting `bullseye` in the most recent changelog; with that > fixed, please go ahead. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Thanks for reviewing the debdiff. Here is a rev2 version that targets bullseye in the latest changelog. Please confirm that this is what you meant. (It's the first time I go through this process so want to make sure I don't make obvious mistakes.) If it looks good, I will arrange for this to get uploaded. Best, Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Bug#1032236: netatalk2 repo in Salsa
X-Debbugs-CC: pkg-netatalk-de...@alioth-lists.debian.net I have now prepared a git repository for netatalk2, living in the same Salsa project as netatalk (v3), in a "debian/old" branch (and "upstream/old"): https://salsa.debian.org/netatalk-team/netatalk/-/tree/debian/old?ref_type=heads This branch was branched off the historical 2.2.6 deb, with all of the subsequent improvements in the 3.x line of releases backported to the "old" branch. I have brought this code up to date with the latest upstream netatalk v2.3.1 release code. All lintian reported errors and warnings have been addressed. Copyright information has been refreshed. The code can be built with debuild and a functioning deb package gets created. I think this software is ready to be considered for packaging in Debian now. If a Debian development team member reads this, please let me know how to take this to the next stage in the packaging evaluation process! Sincerely, Daniel Markstedt
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 - moreinfo On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire wrote: > > > Hi, > > On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > > > 2024年1月16日 (火) 02:53, Adam D. Barratt > > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt > > < 送信: > > > > > Control: tags -1 + moreinfo > > > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > > > > > > > CVE-2022-22995 > > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > > > > > > > The attached patch can be applied to Debian oldstable to address the > > > > vulnerability. > > > > > > In order to approve an upload, we need to see a full source debdiff of > > > the proposed new package, not just the isolated patch. Please remove > > > the moreinfo tag when providing that. > > > > Adam, thanks for following up on this request. > > I will work on a debdiff when I’m back home this coming weekend. > > Right now I’m working offsite without access to a personal computer. > > > Ping? It's now too late for 11.9 but your request can be considered for > 11.10 if you send a debdiff. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Please find a debdiff attached here. Is this adequate for doing the security release? Thank you! Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
2024年2月7日 (水) 03:06, Jonathan Wiltshire <[j...@debian.org](mailto:2024年2月7日 (水) 03:06, Jonathan Wiltshire < 送信: > Hi, > > On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: >> 2024年1月16日 (火) 02:53, Adam D. Barratt >> <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt <> href=)> 送信: >> >> > Control: tags -1 + moreinfo >> > >> > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: >> >> CVE-2022-22995 >> >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php >> >> >> >> The attached patch can be applied to Debian oldstable to address the >> >> vulnerability. >> >> >> > >> > In order to approve an upload, we need to see a full source debdiff of >> > the proposed new package, not just the isolated patch. Please remove >> > the moreinfo tag when providing that. >> >> Adam, thanks for following up on this request. >> I will work on a debdiff when I’m back home this coming weekend. >> Right now I’m working offsite without access to a personal computer. > > Ping? It's now too late for 11.9 but your request can be considered for > 11.10 if you send a debdiff. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Thank you for the ping, and apologies for leaving you hanging. I have been working offsite for my employer more than anticipated lately, with small windows of opportunity for side projects. I’m planning to return home tomorrow so if nothing unexpected happens I will have something for you shortly! Best regards, Daniel
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
2024年1月16日 (火) 02:53, Adam D. Barratt <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < 送信: > Control: tags -1 + moreinfo > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: >> CVE-2022-22995 >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php >> >> The attached patch can be applied to Debian oldstable to address the >> vulnerability. >> > > In order to approve an upload, we need to see a full source debdiff of > the proposed new package, not just the isolated patch. Please remove > the moreinfo tag when providing that. Adam, thanks for following up on this request. I will work on a debdiff when I’m back home this coming weekend. Right now I’m working offsite without access to a personal computer. >> I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds- >> 8+deb11u2 > > I'm not entirely sure what you mean by an "out-of-release-cycle upload" > here. > > Regards, > > Adam Please disregard the above; I got confused with the Ubuntu process. Sincerely, Daniel
Bug#1060774: Bug ticket
This is the relevant bug ticket for the netatalk package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060773
Bug#1060773: Filed an upload request to release team
I prepared a deb patch and filed this upload request with the release team: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995 Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php The attached patch can be applied to Debian oldstable to address the vulnerability. I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2 Sincerely, Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Sun, 14 Jan 2024 14:26:19 +0900 Subject: [PATCH] Netatalk CVE-2022-22995 patch --- debian/patches/CVE-2022-22995.patch | 63 + debian/patches/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 debian/patches/CVE-2022-22995.patch diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch new file mode 100644 index ..63101426 --- /dev/null +++ b/debian/patches/CVE-2022-22995.patch @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff --git a/debian/patches/series b/debian/patches/series index 3f69b779..70f4bce8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch -- 2.39.2
Bug#1060773: CVE-2022-22995: afpd daemon vulnerable to symlink redirection
Package: netatalk Version: 3.1.12~ds-8+deb11u1 Severity: normal Tags: security X-Debbugs-Cc: t...@security.debian.org, pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team This is for tracking the fix for security vulnerability CVE-2022-22995 in Debian Oldstable (Bullseye) Upstream advisory at: https://netatalk.sourceforge.io/CVE-2022-22995.php Note that this has already been patched in oldoldstable (by the security team) and in unstable (by the package maintainers.) -- System Information: Debian Release: 11.7 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii init-system-helpers 1.60 ii libacl1 2.2.53-10 ii libavahi-client3 0.8-5+deb11u2 ii libavahi-common3 0.8-5+deb11u2 ii libc62.31-13+deb11u6 ii libcrack22.9.6-3.4 ii libcrypt11:4.4.18-4 ii libdb5.3 5.3.28+dfsg1-0.8 ii libdbus-glib-1-2 0.110-6 ii libevent-2.1-7 2.1.12-stable-1 ii libgcrypt20 1.8.7-6 ii libglib2.0-0 2.66.8-1 ii libgssapi-krb5-2 1.18.3-6+deb11u3 ii libkrb5-31.18.3-6+deb11u3 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii libmariadb3 1:10.5.19-0+deb11u2 ii libpam-modules 1.4.0-9+deb11u1 ii libpam0g 1.4.0-9+deb11u1 ii libssl1.11.1.1n-0+deb11u4 ii libtalloc2 2.3.1-2+b1 ii libtdb1 1.4.3-1+b1 ii libtracker-sparql-2.0-0 2.3.6-2 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii netbase 6.3 ii perl 5.32.1-4+deb11u2 Versions of packages netatalk recommends: ii avahi-daemon 0.8-5+deb11u2 ii cracklib-runtime 2.9.6-3.4 ii dbus 1.12.24-0+deb11u1 ii lsof 4.93.2+dfsg-1.1 ii procps2:3.3.17-5 ii python3 3.9.2-3 ii python3-dbus 1.2.16-5 ii tracker 2.3.6-2 Versions of packages netatalk suggests: pn quota -- no debconf information
Bug#568601: [Pkg-netatalk-devel] Bug#568601: Bug#568601: Can confirm this problem still exists
Hi Matijs, I totally get your point and agree that this situation is not ideal. Unfortunately, I don't think the exact dependent package version is something that we as package managers can or should hard code in this fashion. Look at the "debian/control" file in the package repo: https://salsa.debian.org/netatalk-team/netatalk/-/blob/debian/latest/debian/control#L20 See that "libgcrypt20-dev" is defined as a dependency without specifying a version. It is actually debbuild (I think) that resolves the exact version dependency when it builds the package for a particular Debian version. Hence, when debbuild builds a package for Bookworm Stable, the dependency resolves as libgcrypt20-dev==1.10.1 and when it's built for Unstable it gets resolved as libgcrypt20-dev==1.10.2. So when you install the Unstable package on Bookworm you run into this dependency problem with libgcrypt20-dev. Someone who knows Debian better could correct me if I'm wrong. :) Does this make sense? Daniel On Friday, December 1st, 2023 at 6:01 PM, Matijs van Zuijlen wrote: > > > Hi Daniel, > > Indeed, I am running Debian stable on my server with just netatalk and > some of its dependencies from testing, so my setup is a bit unconventional. > > This is in fact the case because Netatalk was dropped from Debian 12, > and I didn't want to keep running the old version which has a security > issue. > > However, I think installing netatalk from any Debian version should > still pull in the correct version of libgcrypt. Isn't that something > that can be addressed in the netatalk package? I can imagine later > versions of netatalk would need still newer versions of libgcrypt. The > current dependency specification would fail to pull those in. > > Kind regards, > Matijs van Zuijlen > > On 01/12/2023 00:42, Daniel Markstedt wrote: > > > Hi Matijs, > > > > This is not something we can address in the netatalk package itself, since > > you're using an Unstable netatalk package with a Stable Debian version. > > (Netatalk was dropped from Debian 12 Bookworm.) > > > > See this upstream discussion for more details: > > https://github.com/Netatalk/netatalk/discussions/574 > > > > Best regards, > > Daniel > > > > On Thursday, November 30th, 2023 at 11:05 PM, Matijs van Zuijlen > > mat...@matijs.net wrote: > > > > > Dear maintainer, > > > > > > This problem still exists. I installed netatalk from testing on a Debian > > > server running stable, and libgcrypt was not updated at the same time > > > because the dependency in the netatalk package specifies '>= 1.10.0', > > > > > > which matches the stable version 1.10.1, while testing's netatalk > > > actually needs libgcrypt 1.10.2. This lead to a flood of errors in the > > > logs. Updating the libgcrypt package to the testing version (1.10.2) > > > fixed that problem. > > > > > > As far as I can tell, the solution would be for the netatalk package to > > > depend on (at least?) the libgcrypt version it was compiled with. > > > > > > -- > > > Kind regards, > > > Matijs van Zuijlen > > > > > > -- > > > pkg-netatalk-devel mailing list > > > pkg-netatalk-de...@alioth-lists.debian.net > > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel > > > -- > pkg-netatalk-devel mailing list > pkg-netatalk-de...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel
Bug#568601: [Pkg-netatalk-devel] Bug#568601: Can confirm this problem still exists
Hi Matijs, This is not something we can address in the netatalk package itself, since you're using an Unstable netatalk package with a Stable Debian version. (Netatalk was dropped from Debian 12 Bookworm.) See this upstream discussion for more details: https://github.com/Netatalk/netatalk/discussions/574 Best regards, Daniel On Thursday, November 30th, 2023 at 11:05 PM, Matijs van Zuijlen wrote: > > > Dear maintainer, > > This problem still exists. I installed netatalk from testing on a Debian > server running stable, and libgcrypt was not updated at the same time > because the dependency in the netatalk package specifies '>= 1.10.0', > > which matches the stable version 1.10.1, while testing's netatalk > actually needs libgcrypt 1.10.2. This lead to a flood of errors in the > logs. Updating the libgcrypt package to the testing version (1.10.2) > fixed that problem. > > As far as I can tell, the solution would be for the netatalk package to > depend on (at least?) the libgcrypt version it was compiled with. > > -- > Kind regards, > Matijs van Zuijlen > > -- > pkg-netatalk-devel mailing list > pkg-netatalk-de...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel
Bug#1053545: CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing
Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Under very specific circumstances, netatalk can be tricked into copying a symlink or other malicious file from the shared volume into a restricted place in the file system, potentially achieving remote code execution. All versions of netatalk from 3.1.0 to 3.1.17 are vulnerable. The CVE-2022-22995 advisory was published over a year ago, but the details of the exploit weren't disclosed at the time: https://nvd.nist.gov/vuln/detail/cve-2022-22995 It was only recently that we in the upstream team were able to get in touch with original security researchers to gain enough insights to formulate a patch and publish our own security advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
Bug#1049325: Updated patch with CVE-2023-42464 fix
A new 0-day vulnerability CVE-2023-42464 has been published and patched with upstream Netatalk 3.1.17 The large CVE patch batch for oldstable has been updated and a new version attached here. Thank you! Daniel netatalk-3.1.12~ds-8+deb11u1-2.patch Description: Binary data
Bug#1052087: Versions affected
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 3.1.15~ds-3 in unstable. stable isn't distributing a netatalk package.
Bug#1052087: CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC
Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole A 0-day vulnerability patch has been published for the upstream project. The CVE record has not been made public yet, but this is the body of the advisory for the record: A Type Confusion vulnerability was found in the Spotlight RPC functions in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. The underlying code for Spotlight queries in Netatalk shares a common heritage with Samba, and hence the root cause and fix are logically identical with those described in CVE-2023-34967. https://github.com/Netatalk/netatalk/issues/486 -- System Information: Debian Release: 10.13 APT prefers oldoldstable APT policy: (500, 'oldoldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii libacl1 2.2.53-4 ii libattr1 1:2.4.48-4 ii libavahi-client3 0.7-4+deb10u1 ii libavahi-common3 0.7-4+deb10u1 ii libc62.28-10+deb10u1 ii libdb5.3 5.3.28+dfsg1-0.5 ii libdbus-1-3 1.12.20-0+deb10u1 ii libdbus-glib-1-2 0.110-4 ii libgcrypt20 1.8.4-5+deb10u1 ii libglib2.0-0 2.58.3-2+deb10u3 ii libldap-2.4-22.4.47+dfsg-3+deb10u7 ii libpam-modules 1.3.1-5 ii libpam0g 1.3.1-5 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtracker-sparql-2.0-0 2.1.8-2 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii netbase 5.6 ii perl 5.28.1-6+deb10u1 Versions of packages netatalk recommends: ii avahi-daemon 0.7-4+deb10u1 ii dbus 1.12.20-0+deb10u1 ii lsof 4.91+dfsg-1 ii procps2:3.3.15-2 ii python3 3.7.3-1 ii python3-dbus 1.2.8-3 ii tracker 2.1.8-2 Versions of packages netatalk suggests: pn quota -- no debconf information
Bug#1051066: [Pkg-netatalk-devel] Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
--- Original Message --- On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard wrote: > > This is one bugreport about multiple issues. That easily gets confusing > to track, e.g. if some of the issues are solved and some are not, for a > certain release of the package (and consequently a Debian release where > that package release is included). > > It is generally easier to track when instead filing one bugreport per > issue. > I can see how this is the preferred approach for a clean tracking of each security issue. In this case it gets a bit hairy since we have cases where one patch fixed multiple CVEs, and elsewhere multiple patches were required to fix regressions introduced by a CVE fix. It was a journey of >1 year to get to the present state. > I tried lookup one of above CVEs inn the Debian security tracker: > https://security-tracker.debian.org/tracker/CVE-2022-43634 > > It references an already filed bugreport about that issue, bug#1034170, > which is tagged as found only as early as 3.1.14~ds-1. If earlier > Debian package releases are also affected by that particular issue, then > please update that bugreport to reflect that fact. > > This bugreport is flagged as "archived" (which is done automatically > after being done for a while, to reduce spam). Before doing other > changes you therefore need to first unachive it. > > E.g. something like this: > > bts unarchive 1034170 . found 1034170 3.1.13~ds-1 > Will do, thanks for the command. > The other CVEs seemingly have no related bugreport (from a quick look at > the security tracker - but I suspect that database does not list > bugreports not involving the security team at first, and only later > mentioning a CVE if at all). If you don't happen to be aware of > bugreports exisisting for those other issues, then I suggest to file new > individual bugreports for each issue (also because it is easy to merge > issues later as needed). > That's a fairly big undertaking, especially if clean and atomic patches are required for each... I was really hoping the batch approach would be accepted. That said I can definitely create the individual bug tickets for starters and we can take it from there. Let me set aside some time next week for this. > > Kind regards, and thanks a lot for looking into this, > > - Jonas > You're welcome! Daniel
Bug#1051103: netatalk: Unknown error: 211 from macOS when trying to mount in 3.1.15~ds-2 or later
--- Original Message --- On Saturday, September 2nd, 2023 at 12:18 PM, David Gilman wrote: > > > Package: netatalk > Version: 3.1.15~ds-2 > Severity: important > X-Debbugs-Cc: davidgilm...@gmail.com > > Dear Maintainer, > > After the update from 3.1.15~ds-1 to 3.1.15~ds-2 any attempt to mount an > exported AFP share from macOS results in "Unknown error: 211" on the Mac > side. This was not fixed in 3.1.15~ds-3. > > I was able to confirm the regression by downgrading from -3 to -2 to -1 > on the same setup to find that it was working on -1 and not -2. > > Note that my Debian side configuration is a bit of a monster, I am > pinning netatalk from sid, but am otherwise on bookworm. The Mac is > running macOS 13.5.1. > > I have attached some hopefully relevant system logs from the Mac. > Hi David, Thank you for reporting the issue! I cannot reproduce the issue despite having the exact same environment (Bookworm pinned to Sid netatalk, macOS 13.5.1) so please help me work through a few troubleshooting steps. Reading the changelog between ds-1 and ds-2, the only obvious functional difference is that we did away with the pam.d configuration override. I shouldn't have made a difference but you never know. To understand what's happening on the netatalk side when macOS throws that error, would you be able to turn on debug level logs, and then capture syslog as the error is happening? That's the only sure way to know exactly what it gets hung on up. For this purpose, please add or modify the log level line of the Global section of /etc/netatalk/afp.conf as per the below and then restart netatalk. log level = default:debug Also, it would be handy to know the contents of your /etc/netatalk/afp.conf and /etc/pam.d/netatalk files. Please scrub any private information as needed. Sincerely, Daniel
Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
To add the justification for the critical severity of this ticket: At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian system running non-patched netatalk. CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121, CVE-2022-0194
Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches
Package: netatalk Version: 3.1.12~ds-8 Severity: critical Tags: patch security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Nine CVE security advisories were addressed in netatalk upstream releases between 3.1.13 and 3.1.15. The full list is below: CVE-2022-45188 CVE-2022-43634 CVE-2022-23125 CVE-2022-23124 CVE-2022-23123 CVE-2022-23122 CVE-2022-23121 CVE-2022-0194 CVE-2021-31439 Current status of patching these vulnerabilities: - netatalk oldoldstable has already been patched by the Security Team. - netatalk unstable has already been patched by the maintainer team. - The netatalk package was excluded from stable, no action required. - What remains is to patch oldstable, hence this ticket. A debpatch has been attached to the related Release bug ticket, where approval to proceed with an oldstable release has been requested. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325 -- System Information: Debian Release: 11.7 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages netatalk depends on: ii init-system-helpers 1.60 ii libacl1 2.2.53-10 ii libavahi-client3 0.8-5+deb11u2 ii libavahi-common3 0.8-5+deb11u2 ii libc62.31-13+deb11u6 ii libcrack22.9.6-3.4 ii libcrypt11:4.4.18-4 ii libdb5.3 5.3.28+dfsg1-0.8 ii libdbus-glib-1-2 0.110-6 ii libevent-2.1-7 2.1.12-stable-1 ii libgcrypt20 1.8.7-6 ii libglib2.0-0 2.66.8-1 ii libgssapi-krb5-2 1.18.3-6+deb11u3 ii libkrb5-31.18.3-6+deb11u3 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii libmariadb3 1:10.5.19-0+deb11u2 ii libpam-modules 1.4.0-9+deb11u1 ii libpam0g 1.4.0-9+deb11u1 ii libssl1.11.1.1n-0+deb11u4 ii libtalloc2 2.3.1-2+b1 ii libtdb1 1.4.3-1+b1 ii libtracker-sparql-2.0-0 2.3.6-2 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii netbase 6.3 ii perl 5.32.1-4+deb11u2 Versions of packages netatalk recommends: ii avahi-daemon 0.8-5+deb11u2 ii cracklib-runtime 2.9.6-3.4 ii dbus 1.12.24-0+deb11u1 ii lsof 4.93.2+dfsg-1.1 ii procps2:3.3.17-5 ii python3 3.9.2-3 ii python3-dbus 1.2.16-5 ii tracker 2.3.6-2 Versions of packages netatalk suggests: pn quota -- no debconf information
Bug#1049325: Increasing severity
Control: severity -1 important X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net Dear Debian Release Team, Please allow me to raise the severity for this ticket. The patches address 9 public CVE advisories, and I think it would be beneficial to Bullseye users to have a patched package. As mentioned before, the exact same patchset has been applied to oldoldstable-security with help from the Security Team (special thanks to Markus Koschany!) Would it be possible to get feedback on the proposed release? For reference, here are the relevant netatalk bug tickets that I know of. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025011 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036740 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043504 Thank you! Daniel
Bug#1043504: [Pkg-netatalk-devel] Bug#1043504: marked as done (Another regression fix for CVE-2022-23123)
> -- Forwarded message -- > From: Markus Koschany > To: Daniel Markstedt > Cc: 1043504-d...@bugs.debian.org > Bcc: > Date: Sun, 13 Aug 2023 23:44:58 +0200 > Subject: Re: Bug#1043504: Another regression fix for CVE-2022-23123 > Version: 3.1.12~ds-3+deb10u3 > > Am Freitag, dem 11.08.2023 um 22:45 -0700 schrieb Daniel Markstedt: > > Package: netatalk > > Version: 3.1.12~ds-3+deb10u2 > > X-Debbugs-Cc: t...@security.debian.org,debian-...@lists.debian.org > > > > Dear Debian Security team, > > > > Would you be able to help me get the following critical regression fix > > into the Buster netatalk package? > > Hello Daniel, > > thank you for the report. I have just released DLA-3426-3 and believe this is > fixed in 3.1.12~ds-3+deb10u3 now. > > Regards, > > Markus Wonderful, thank you for the quick turnaround on the upload. I updated to deb10u3 on by Buster system and ran a few tests. It seems to work as expected! As a side note, I filed a release request with the Release team last night to get traction with patching the Bullseye package as well. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325 I'm following the guidelines here so hopefully I'm on the right track. :) https://lists.debian.org/debian-devel-announce/2019/08/msg0.html Cheers, Daniel
Bug#1025011: Release request filed
For the record, I have filed a request with the Release Team now to get the green light to upload Bullseye packages. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
Bug#1049325: bullseye-pu: netatalk/3.1.12~ds-8+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk This is a batch of patches that resolves a number of CVE vulnerabilities for netatalk, plus a number of regressions that were subsequently fixed in upstream (indicated by part/regression patches). They originate in upstream releases between 3.1.13 through 3.1.15. With the exception of the very last regression fix (CVE-2022-23123_part6.patch) they are all in the unstable netatalk package. CVE-2022-45188 CVE-2022-43634 CVE-2022-23125 CVE-2022-23124 CVE-2022-23123 CVE-2022-23122 CVE-2022-23121 CVE-2022-0194 CVE-2021-31439 For complete transparency: Please note that the patch for CVE-2022-23123 also fixes CVE-2022-23122, CVE-2022-23124, CVE-2022-0194, which is why the latter three don't have separate patches. The Security Team has already applied this exact patchset on buster-security (3.1.12~ds-3+deb10u3), and instructed me to file this release request against oldstable. We have an active userbase that leverages netatalk for file sharing with fleets of legacy Mac clients in production environments, so I consider it prudent to keep oldstable up to date with security patches. Is this enough to make a case for uploading an update to oldstable? Sincerely, Daniel Markstedt netatalk-3.1.12~ds-8+deb11u1.patch Description: Binary data
Bug#1043504: Another regression fix for CVE-2022-23123
My apologies, the previous patch had a fatal typo that I noticed when running debuild. This "-2" version should work properly. On Sat, Aug 12, 2023 at 10:58 PM Daniel Markstedt wrote: > > Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset. > I followed the maintainers' documentation and used quilt, so hopefully > it should be compliant! > Please let me know if there's anything I should be doing differently here. > > Thanks! > Daniel CVE-2022-23123_part6-2.patch Description: Binary data
Bug#1043504: Another regression fix for CVE-2022-23123
Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset. I followed the maintainers' documentation and used quilt, so hopefully it should be compliant! Please let me know if there's anything I should be doing differently here. Thanks! Daniel CVE-2022-23123_part6.patch Description: Binary data
Bug#1043504: Another regression fix for CVE-2022-23123
Package: netatalk Version: 3.1.12~ds-3+deb10u2 X-Debbugs-Cc: t...@security.debian.org,debian-...@lists.debian.org Dear Debian Security team, Would you be able to help me get the following critical regression fix into the Buster netatalk package? The regression was introduced with the patch for CVE-2022-23123 and is impacting a subset of users that have certain metadata in their shared files. The issue leads to an unavoidable crash and renders netatalk useless with their shared volumes. Separately, it also contains a fix for saving MS Office files onto an otherwise functioning shared volume. This is the commit with the fix in question: https://github.com/Netatalk/netatalk/commit/7dbde0ce704be7fbdb23e893e05cedced337350d See this PR for discussion and links back to the user reported issue tickets: https://github.com/Netatalk/netatalk/pull/178 See also Bug#1036740 for the previous batch of regression fixes for the same CVE. Thank you!
Bug#1040065: [Pkg-netatalk-devel] Bug#1040065: afpd: systemd-logind ReleaseSession rejected by dbus-daemon
On Sat, Jul 1, 2023 at 3:27 PM Richard van den Berg wrote: > > Package: netatalk > Version: 3.1.12~ds-8 > Severity: normal > Tags: patch > > I am using netatalk for time machine backups. After every session I see this > line in /var/log/auth.log > > 2023-07-01T22:31:47.223949+02:00 my-server dbus-daemon[1538889]: [system] > Rejected send message, 2 matched rules; type="method_call", > sender=":1.153636" (uid=145 pid=2690475 comm="/usr/sbin/afpd -d -F > /etc/netatalk/afp.conf") interface="org.freedesktop.login1.Manager" > member="ReleaseSession" error name="(unset)" requested_reply="0" > destination="org.freedesktop.login1" (uid=0 pid=1538900 > comm="/lib/systemd/systemd-logind") > > Today I finally found the solution at > https://bugs.launchpad.net/ubuntu/+source/netatalk/+bug/1538004 > > It is simple really, in /etc/pam.d/netatalk replace this line: > > @include common-session > > with this line: > > @include common-session-noninteractive > Hi Richard, Thanks for reporting and tracking down the fix. Do I understand correctly that the fix is confirmed to resolve the issue for you? Now, /etc/pam.d/netatalk is obviously a generated file, so for a persistent fix the file that needs to change is macros/pam-check.m4 I think this should ideally be fixed upstream, so if you have a moment to spare it'd be helpful if you filed an issue ticket at https://github.com/Netatalk/netatalk/issues Best, Daniel
Bug#1038421: Fix for CVE-2022-45188
Package: netatalk Version: 3.1.15~ds-1 X-Debbugs-Cc: pkg-netatalk-de...@lists.alioth.debian.org This bug is to record that the fix for CVE-2022-45188 has already been included with netatalk 3.1.15~ds-1. It is still flagged as unresolved for bookworm, which is not correct. See https://github.com/Netatalk/netatalk/releases/tag/netatalk-3-1-15 for the changelog.
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard wrote: > > Quoting Salvatore Bonaccorso (2023-06-04 07:39:12) > > Hi Daniel, > > > > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > > > -- Forwarded message -- > > > > From: Markus Koschany > > > > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > > > > Cc: debian-...@lists.debian.org > > > > Bcc: > > > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault > > > > with valid metadata > > > > Version: 3.1.12~ds-3+deb10u2 > > > > > > > > Thanks for your report and the detailed replies. I could reproduce the > > > > problem > > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. > > > > After > > > > applying a new patch to fix it, the AppleDouble v2 format seems to work > > > > as > > > > intended again. I'm going to close this bug report now. > > > > > > > > Best, > > > > > > > > Markus > > > > > > > > > > Thank you Markus for narrowing down the problem and fixing it! > > > I can confirm that appledouble=v2 works in my environment now too. > > > > > > So this covers the outstanding CVEs for oldstable now; > > > are you already preparing to port the same patchset to stable as well? > > > > > > I can file another bug report if it helps. > > > > No other reports needed, since all were reported. For the bookworm > > release they would be fixed, for the current stable (bullseye) we > > explicitly asked the maintainer trough > > https://bugs.debian.org/1025011#15 . So we are waiting for the > > netatalk maintainers to propose an update here for bullseye-security. > > @Salvatore: In addition to being upstream developer, Daniel has also > joined the Debian packaging team. > Salvatore, I left a comment over at that bug. It should be easy to accomplish if I can learn how to contribute patches to security releases. > @Daniel: Debian issue tracker - debbugs - can be confusing from an > upstream POV, due to it being distro-centric: Some issues are not about > upstream code but "meta" about distro organization - e.g. bug#1025011 > which is not about netatalk but about *attention* for netatalk and > therefore open despite netatalk itself has no bugs. Also, issues tied to > upstream projects is tracked across multiple Debian releases, so can be > both fixed and unfixed depending on release scope. > > What is double confusing here is that no bugreport exists in Debian for > tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral > damage in fixing that CVE for oldstable, and bug#1025011 is about > meta-discussion only indirectly involving that same CVE. > > All in all: Yes, please file a bugreport about CVE-2022-23123 - and then > tag it as closed with package release 3.1.15~ds-1, which makes that > bugreport "fixed" for the scope of Debian testing and unstable, but > unfixed for the scope of Debian stabel. > > > Hope that helps. > > - Jonas > Jonas, definitely a helpful summary, thanks! However, I assume you mean CVE-2022-45188 for bookworm regarding filing a bug to resolve an already resolved CVE? This one was fixed with 3.1.15 but due to a typo in the commit message was left as unresolved, if I'm not mistaken. As far as I can tell, CVE-2022-23123 is already properly flagged as resolved both for bookworm and sid. Please let me know if there's something I overlooked here! Best, Daniel
Bug#1025011: [Pkg-netatalk-devel] Bug#1025011: fixed in netatalk 3.1.15~ds-1
On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff wrote: > [...] > It's nice that there's renewed interest, but this involves also taking > care of netatalk in stable, there's a range of issues (full list at > https://security-tracker.debian.org/tracker/source-package/netatalk) > which need to be backported to bullseye-security. > > I'm reopening the bug, it can be closed with the respective upload > to bullseye-security. > > Cheers, > Moritz > Since both buster and bullseye use the same base version of netatalk (3.1.12) the work required here should be straight-forward: Simply bring over the CVE patchset that were applied to buster-security. A snippet from `apt source netatalk` on buster: [...] dpkg-source: info: applying CVE-2022-45188.patch dpkg-source: info: applying CVE-2022-43634.patch dpkg-source: info: applying CVE-2022-23125.patch dpkg-source: info: applying CVE-2022-23121.patch dpkg-source: info: applying CVE-2021-31439.patch dpkg-source: info: applying CVE-2022-23123_part1.patch dpkg-source: info: applying CVE-2022-23123_part2.patch dpkg-source: info: applying CVE-2022-23123_part3.patch dpkg-source: info: applying CVE-2022-23123_part4.patch dpkg-source: info: applying CVE-2022-23123_part5.patch dpkg-source: info: applying CVE-2022-23121_regression.patch The only real difference between buster and bullseye netatalk 3.1.12 is that the latter have a few extra backported crashfixes etc. I had a quick look and concluded that they shouldn't interfere with the CVE patches. I'd be happy to try to achieve the "upload to bullseye-security" if you all can give me some pointers. This is all new to me. Best regards, Daniel
Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)
> -- Forwarded message -- > From: Markus Koschany > To: Daniel Markstedt , 1036740-d...@bugs.debian.org > Cc: debian-...@lists.debian.org > Bcc: > Date: Thu, 01 Jun 2023 19:54:55 +0200 > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with > valid metadata > Version: 3.1.12~ds-3+deb10u2 > > Thanks for your report and the detailed replies. I could reproduce the problem > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > applying a new patch to fix it, the AppleDouble v2 format seems to work as > intended again. I'm going to close this bug report now. > > Best, > > Markus > Thank you Markus for narrowing down the problem and fixing it! I can confirm that appledouble=v2 works in my environment now too. So this covers the outstanding CVEs for oldstable now; are you already preparing to port the same patchset to stable as well? I can file another bug report if it helps. Best, Daniel
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
On Fri, May 26, 2023 at 1:15 PM Markus Koschany wrote: > > Could you tell me which exact commands were used, so that I can try to > reproduce the problem? > Do by any chance have access to a Mac of any vintage? It could be a brand new machine running the latest macOS or a classic Mac from the 90s running at least System Software 7.1 The problem occurs when the AFP client attempts to create the Mac file system metadata (aka resource forks on Classic Mac OS, or extended attributes on OSX.) Netatalk should be configured something like this: dmark@buster:~$ cat /etc/netatalk/afp.conf [Global] zeroconf name = Buster uam list = uams_clrtxt.so uams_dhx2.so [Homes] basedir regex = /home appledouble = v2 After authenticating with the netatalk server on the Mac, attempt to copy any file to the shared volume. You should get an instant error -50 in Mac OS, and see the aforementioned errors in the logs.
Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
On Thu, May 25, 2023 at 3:39 AM Markus Koschany wrote: > > Hello Daniel, > > Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso: > > > > > > These two commits in upstream addressed this: > > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b > > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 > > Both patches have been backported to Buster. You can find them as CVE-2022- > 23123_part3.patch and CVE-2022-23123_part4.patch. > > Did we miss something else? > > Regards, > > Markus Salvatore, Markus, Thank you very much for taking swift action on this! Please forgive my ignorance here, but are these patches active already if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster? Or do they have to be picked up by some build process that hasn't run yet? I'm asking because I ran a few tests now and while EA metadata works, the appledouble v2 metadata functionality is definitely broken, even when you create a new shared volume from scratch. dmark@buster:~$ apt show netatalk Package: netatalk Version: 3.1.12~ds-3+deb10u1 ... May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path, ad, pst) failed: Input/output error May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23 at 10.36.39 AM.png): bad resource fork May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, len: 8 May 25 18:51:08 buster afpd[7415]: ad_header_read(/home/dmark/afp-data): malformed AppleDouble So either more patches have to be cherry-picked or I need to be patient. :)
Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata
Package: netatalk Version: 3.1.12~ds-3+deb10u1 X-Debbugs-Cc: t...@security.debian.org The code that addressed CVE-2022-23123 introduced appledouble metadata validity assertions that were too strict and caused instant segfaults with valid metadata for a large number of users. These two commits in upstream addressed this: https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98 For the full discussion see this PR: https://github.com/Netatalk/netatalk/pull/174 I would recommend accepting these patches into oldstable, as well as stable once the CVE patches get ported there too.
Bug#1032236: ITP: netatalk2 -- File server for Macintosh and Apple II clients
Package: wnpp Severity: wishlist Owner: Daniel Markstedt X-Debbugs-Cc: debian-de...@lists.debian.org, markst...@gmail.com * Package name: netatalk2 Version : 2.2.8 Upstream Author : The Netatalk Team * URL : https://netatalk.sourceforge.io * License : GPL 2.0 Programming Lang: C Description : File server for Macintosh and Apple II clients Netatalk 2 is a file server for Macintosh and Apple II clients which implements the Apple Filing Protocol (AFP) with support for TCP (DSI) and AppleTalk (DDP) networking layers. It also supplies a PAP compliant printer server (papd), a time server (timelord), and an Apple II netboot server (a2boot). In addition, a suite of tools for classic Mac file formats, AppleTalk networking, and PostScript printing is included. Unlike Netatalk 3, it retains the AppleTalk network layer, which allows it to server as a bridge between older Mac and Apple II clients, with the latest macOS clients. I intend to leverage the existing pkg-netatalk-devel team for maintaining the package, including volunteering my own effort.