Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

2024-02-24 Thread Daniel Markstedt 
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net

On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire 
 wrote:
> 
> 
> You should be targetting `bullseye` in the most recent changelog; with that
> fixed, please go ahead.
> 
> Thanks,
> 
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Jonathan,

Thanks for reviewing the debdiff.

Here is a rev2 version that targets bullseye in the latest changelog. Please 
confirm that this is what you meant. (It's the first time I go through this 
process so want to make sure I don't make obvious mistakes.)

If it looks good, I will arrange for this to get uploaded.

Best,
Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog 
netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 +
+++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 +
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high
+
+  * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+closes: bug#1060773
+
+ -- Daniel Markstedt   Sat, 10 Feb 2024 23:49:31 +
+
 netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
 
   * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 
netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch  1970-01-01 
00:00:00.0 +
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch  2024-02-10 
23:40:03.0 +
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt 
+Origin: 
https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
 b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+ 
+ #include 
++#include 
+ #include 
+ #include 
++#include 
+ 
+ #include 
+ 
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+ 
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+ 
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+ 
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from 
\"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) 
!= 0)) {
++  if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from 
\"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; 
creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+ 
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series 
netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 
+
+++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 
+
@@ -28,3 +28,4 @@
 CVE-2022-23121_regression.patch
 CVE-2022-23123_part6.patch
 CVE-2023-42464.patch
+CVE-2022-22995.patch

Bug#1032236: netatalk2 repo in Salsa

2024-02-11 Thread Daniel Markstedt 
X-Debbugs-CC: pkg-netatalk-de...@alioth-lists.debian.net

I have now prepared a git repository for netatalk2, living in the same Salsa 
project as netatalk (v3), in a "debian/old" branch (and "upstream/old"):

https://salsa.debian.org/netatalk-team/netatalk/-/tree/debian/old?ref_type=heads

This branch was branched off the historical 2.2.6 deb, with all of the 
subsequent improvements in the 3.x line of releases backported to the "old" 
branch.

I have brought this code up to date with the latest upstream netatalk v2.3.1 
release code. All lintian reported errors and warnings have been addressed. 
Copyright information has been refreshed. The code can be built with debuild 
and a functioning deb package gets created.

I think this software is ready to be considered for packaging in Debian now.

If a Debian development team member reads this, please let me know how to take 
this to the next stage in the packaging evaluation process!

Sincerely,
Daniel Markstedt

Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

2024-02-10 Thread Daniel Markstedt 
Control: tags -1 - moreinfo

On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire 
 wrote:

> 
> 
> Hi,
> 
> On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote:
> 
> > 2024年1月16日 (火) 02:53, Adam D. Barratt 
> > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt 
> > < 送信:
> > 
> > > Control: tags -1 + moreinfo
> > > 
> > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote:
> > > 
> > > > CVE-2022-22995
> > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
> > > > 
> > > > The attached patch can be applied to Debian oldstable to address the
> > > > vulnerability.
> > > 
> > > In order to approve an upload, we need to see a full source debdiff of
> > > the proposed new package, not just the isolated patch. Please remove
> > > the moreinfo tag when providing that.
> > 
> > Adam, thanks for following up on this request.
> > I will work on a debdiff when I’m back home this coming weekend.
> > Right now I’m working offsite without access to a personal computer.
> 
> 
> Ping? It's now too late for 11.9 but your request can be considered for
> 11.10 if you send a debdiff.
> 
> Thanks,
> 
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Jonathan,

Please find a debdiff attached here. Is this adequate for doing the security 
release?

Thank you!

Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog 
netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 +
+++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 +
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high
+
+  * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+closes: bug#1060773
+
+ -- Daniel Markstedt   Sat, 10 Feb 2024 23:49:31 +
+
 netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
 
   * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 
netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch  1970-01-01 
00:00:00.0 +
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch  2024-02-10 
23:40:03.0 +
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt 
+Origin: 
https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
 b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+ 
+ #include 
++#include 
+ #include 
+ #include 
++#include 
+ 
+ #include 
+ 
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+ 
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+ 
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+ 
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from 
\"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) 
!= 0)) {
++  if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from 
\"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; 
creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+ 
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series 
netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 
+
+++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 
+
@@ -28,3 +28,4 @@
 CVE-2022-23121_regression.patch
 CVE-2022-23123_part6.patch
 CVE-2023-42464.patch
+CVE-2022-22995.patch

Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

2024-02-07 Thread Daniel Markstedt 
2024年2月7日 (水) 03:06, Jonathan Wiltshire <[j...@debian.org](mailto:2024年2月7日 (水) 
03:06, Jonathan Wiltshire < 送信:

> Hi,
>
> On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote:
>> 2024年1月16日 (火) 02:53, Adam D. Barratt 
>> <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt <> href=)> 送信:
>>
>> > Control: tags -1 + moreinfo
>> >
>> > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote:
>> >> CVE-2022-22995
>> >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
>> >>
>> >> The attached patch can be applied to Debian oldstable to address the
>> >> vulnerability.
>> >>
>> >
>> > In order to approve an upload, we need to see a full source debdiff of
>> > the proposed new package, not just the isolated patch. Please remove
>> > the moreinfo tag when providing that.
>>
>> Adam, thanks for following up on this request.
>> I will work on a debdiff when I’m back home this coming weekend.
>> Right now I’m working offsite without access to a personal computer.
>
> Ping? It's now too late for 11.9 but your request can be considered for
> 11.10 if you send a debdiff.
>
> Thanks,
>
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Jonathan,

Thank you for the ping, and apologies for leaving you hanging. I have been 
working offsite for my employer more than anticipated lately, with small 
windows of opportunity for side projects. I’m planning to return home tomorrow 
so if nothing unexpected happens I will have something for you shortly!

Best regards,
Daniel

Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

2024-01-16 Thread Daniel Markstedt 
2024年1月16日 (火) 02:53, Adam D. Barratt 
<[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < 送信:

> Control: tags -1 + moreinfo
>
> On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote:
>> CVE-2022-22995
>> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
>>
>> The attached patch can be applied to Debian oldstable to address the
>> vulnerability.
>>
>
> In order to approve an upload, we need to see a full source debdiff of
> the proposed new package, not just the isolated patch. Please remove
> the moreinfo tag when providing that.

Adam, thanks for following up on this request.
I will work on a debdiff when I’m back home this coming weekend.
Right now I’m working offsite without access to a personal computer.

>> I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-
>> 8+deb11u2
>
> I'm not entirely sure what you mean by an "out-of-release-cycle upload"
> here.
>
> Regards,
>
> Adam

Please disregard the above; I got confused with the Ubuntu process.

Sincerely,
Daniel

Bug#1060774: Bug ticket

2024-01-14 Thread Daniel Markstedt 
This is the relevant bug ticket for the netatalk package: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060773

Bug#1060773: Filed an upload request to release team

2024-01-14 Thread Daniel Markstedt 
I prepared a deb patch and filed this upload request with the release team:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774

Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

2024-01-13 Thread Daniel Markstedt 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk

Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995
Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php

The attached patch can be applied to Debian oldstable to address the 
vulnerability.
I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2

Sincerely,
Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt 
Date: Sun, 14 Jan 2024 14:26:19 +0900
Subject: [PATCH] Netatalk CVE-2022-22995 patch

---
 debian/patches/CVE-2022-22995.patch | 63 +
 debian/patches/series   |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 debian/patches/CVE-2022-22995.patch

diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch
new file mode 100644
index ..63101426
--- /dev/null
+++ b/debian/patches/CVE-2022-22995.patch
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt 
+Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
 b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+ 
+ #include 
++#include 
+ #include 
+ #include 
++#include 
+ 
+ #include 
+ 
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+ 
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+ 
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+ 
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) {
++	if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+ 
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3f69b779..70f4bce8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch
 CVE-2022-23121_regression.patch
 CVE-2022-23123_part6.patch
 CVE-2023-42464.patch
+CVE-2022-22995.patch
-- 
2.39.2

Bug#1060773: CVE-2022-22995: afpd daemon vulnerable to symlink redirection

2024-01-13 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-8+deb11u1
Severity: normal
Tags: security
X-Debbugs-Cc: t...@security.debian.org, 
pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team 


This is for tracking the fix for security vulnerability CVE-2022-22995
in Debian Oldstable (Bullseye)

Upstream advisory at: https://netatalk.sourceforge.io/CVE-2022-22995.php

Note that this has already been patched in oldoldstable (by the security
team) and in unstable (by the package maintainers.)

-- System Information:
Debian Release: 11.7
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages netatalk depends on:
ii  init-system-helpers  1.60
ii  libacl1  2.2.53-10
ii  libavahi-client3 0.8-5+deb11u2
ii  libavahi-common3 0.8-5+deb11u2
ii  libc62.31-13+deb11u6
ii  libcrack22.9.6-3.4
ii  libcrypt11:4.4.18-4
ii  libdb5.3 5.3.28+dfsg1-0.8
ii  libdbus-glib-1-2 0.110-6
ii  libevent-2.1-7   2.1.12-stable-1
ii  libgcrypt20  1.8.7-6
ii  libglib2.0-0 2.66.8-1
ii  libgssapi-krb5-2 1.18.3-6+deb11u3
ii  libkrb5-31.18.3-6+deb11u3
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  libmariadb3  1:10.5.19-0+deb11u2
ii  libpam-modules   1.4.0-9+deb11u1
ii  libpam0g 1.4.0-9+deb11u1
ii  libssl1.11.1.1n-0+deb11u4
ii  libtalloc2   2.3.1-2+b1
ii  libtdb1  1.4.3-1+b1
ii  libtracker-sparql-2.0-0  2.3.6-2
ii  libwrap0 7.6.q-31
ii  lsb-base 11.1.0
ii  netbase  6.3
ii  perl 5.32.1-4+deb11u2

Versions of packages netatalk recommends:
ii  avahi-daemon  0.8-5+deb11u2
ii  cracklib-runtime  2.9.6-3.4
ii  dbus  1.12.24-0+deb11u1
ii  lsof  4.93.2+dfsg-1.1
ii  procps2:3.3.17-5
ii  python3   3.9.2-3
ii  python3-dbus  1.2.16-5
ii  tracker   2.3.6-2

Versions of packages netatalk suggests:
pn  quota  

-- no debconf information

Bug#568601: [Pkg-netatalk-devel] Bug#568601: Bug#568601: Can confirm this problem still exists

2023-12-01 Thread Daniel Markstedt 
Hi Matijs,

I totally get your point and agree that this situation is not ideal.
Unfortunately, I don't think the exact dependent package version is something 
that we as package managers can or should hard code in this fashion.

Look at the "debian/control" file in the package repo:
https://salsa.debian.org/netatalk-team/netatalk/-/blob/debian/latest/debian/control#L20

See that "libgcrypt20-dev" is defined as a dependency without specifying a 
version.
It is actually debbuild (I think) that resolves the exact version dependency 
when it builds the package for a particular Debian version.

Hence, when debbuild builds a package for Bookworm Stable, the dependency 
resolves as libgcrypt20-dev==1.10.1 and when it's built for Unstable it gets 
resolved as libgcrypt20-dev==1.10.2.

So when you install the Unstable package on Bookworm you run into this 
dependency problem with libgcrypt20-dev.

Someone who knows Debian better could correct me if I'm wrong. :)

Does this make sense?

Daniel

On Friday, December 1st, 2023 at 6:01 PM, Matijs van Zuijlen 
 wrote:


> 
> 
> Hi Daniel,
> 
> Indeed, I am running Debian stable on my server with just netatalk and
> some of its dependencies from testing, so my setup is a bit unconventional.
> 
> This is in fact the case because Netatalk was dropped from Debian 12,
> and I didn't want to keep running the old version which has a security
> issue.
> 
> However, I think installing netatalk from any Debian version should
> still pull in the correct version of libgcrypt. Isn't that something
> that can be addressed in the netatalk package? I can imagine later
> versions of netatalk would need still newer versions of libgcrypt. The
> current dependency specification would fail to pull those in.
> 
> Kind regards,
> Matijs van Zuijlen
> 
> On 01/12/2023 00:42, Daniel Markstedt wrote:
> 
> > Hi Matijs,
> > 
> > This is not something we can address in the netatalk package itself, since 
> > you're using an Unstable netatalk package with a Stable Debian version. 
> > (Netatalk was dropped from Debian 12 Bookworm.)
> > 
> > See this upstream discussion for more details: 
> > https://github.com/Netatalk/netatalk/discussions/574
> > 
> > Best regards,
> > Daniel
> > 
> > On Thursday, November 30th, 2023 at 11:05 PM, Matijs van Zuijlen 
> > mat...@matijs.net wrote:
> > 
> > > Dear maintainer,
> > > 
> > > This problem still exists. I installed netatalk from testing on a Debian
> > > server running stable, and libgcrypt was not updated at the same time
> > > because the dependency in the netatalk package specifies '>= 1.10.0',
> > > 
> > > which matches the stable version 1.10.1, while testing's netatalk
> > > actually needs libgcrypt 1.10.2. This lead to a flood of errors in the
> > > logs. Updating the libgcrypt package to the testing version (1.10.2)
> > > fixed that problem.
> > > 
> > > As far as I can tell, the solution would be for the netatalk package to
> > > depend on (at least?) the libgcrypt version it was compiled with.
> > > 
> > > --
> > > Kind regards,
> > > Matijs van Zuijlen
> > > 
> > > --
> > > pkg-netatalk-devel mailing list
> > > pkg-netatalk-de...@alioth-lists.debian.net
> > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel
> 
> 
> --
> pkg-netatalk-devel mailing list
> pkg-netatalk-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel

Bug#568601: [Pkg-netatalk-devel] Bug#568601: Can confirm this problem still exists

2023-11-30 Thread Daniel Markstedt 
Hi Matijs,

This is not something we can address in the netatalk package itself, since 
you're using an Unstable netatalk package with a Stable Debian version. 
(Netatalk was dropped from Debian 12 Bookworm.)

See this upstream discussion for more details: 
https://github.com/Netatalk/netatalk/discussions/574


Best regards,
Daniel

On Thursday, November 30th, 2023 at 11:05 PM, Matijs van Zuijlen 
 wrote:


> 
> 
> Dear maintainer,
> 
> This problem still exists. I installed netatalk from testing on a Debian
> server running stable, and libgcrypt was not updated at the same time
> because the dependency in the netatalk package specifies '>= 1.10.0',
> 
> which matches the stable version 1.10.1, while testing's netatalk
> actually needs libgcrypt 1.10.2. This lead to a flood of errors in the
> logs. Updating the libgcrypt package to the testing version (1.10.2)
> fixed that problem.
> 
> As far as I can tell, the solution would be for the netatalk package to
> depend on (at least?) the libgcrypt version it was compiled with.
> 
> --
> Kind regards,
> Matijs van Zuijlen
> 
> --
> pkg-netatalk-devel mailing list
> pkg-netatalk-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel

Bug#1053545: CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing

2023-10-05 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team 


Under very specific circumstances, netatalk can be tricked into copying a 
symlink or other malicious file from the shared volume into a restricted place 
in the file system, potentially achieving remote code execution. All versions 
of netatalk from 3.1.0 to 3.1.17 are vulnerable.

The CVE-2022-22995 advisory was published over a year ago, but the details of 
the exploit weren't disclosed at the time:

https://nvd.nist.gov/vuln/detail/cve-2022-22995

It was only recently that we in the upstream team were able to get in touch 
with original security researchers to gain enough insights to formulate a patch 
and publish our own security advisory:

https://netatalk.sourceforge.io/CVE-2022-22995.php

Bug#1049325: Updated patch with CVE-2023-42464 fix

2023-09-19 Thread Daniel Markstedt 
A new 0-day vulnerability CVE-2023-42464 has been published and patched with 
upstream Netatalk 3.1.17

The large CVE patch batch for oldstable has been updated and a new version 
attached here.

Thank you!

Daniel

netatalk-3.1.12~ds-8+deb11u1-2.patch
Description: Binary data

Bug#1052087: Versions affected

2023-09-17 Thread Daniel Markstedt 
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 
3.1.15~ds-3 in unstable.

stable isn't distributing a netatalk package.

Bug#1052087: CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC

2023-09-17 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole

A 0-day vulnerability patch has been published for the upstream project.

The CVE record has not been made public yet, but this is the body of the
advisory for the record:

A Type Confusion vulnerability was found in the Spotlight RPC functions
in Netatalk's afpd daemon. When parsing Spotlight RPC packets, one
encoded data structure is a key-value style dictionary where the keys
are character strings, and the values can be any of the supported types
in the underlying protocol. Due to a lack of type checking in callers of
the dalloc_value_for_key() function, which returns the object associated
with a key, a malicious actor may be able to fully control the value of
the pointer and theoretically achieve Remote Code Execution on the host.

The underlying code for Spotlight queries in Netatalk shares a common
heritage with Samba, and hence the root cause and fix are logically
identical with those described in CVE-2023-34967.

https://github.com/Netatalk/netatalk/issues/486

-- System Information:
Debian Release: 10.13
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to 
C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages netatalk depends on:
ii  libacl1  2.2.53-4
ii  libattr1 1:2.4.48-4
ii  libavahi-client3 0.7-4+deb10u1
ii  libavahi-common3 0.7-4+deb10u1
ii  libc62.28-10+deb10u1
ii  libdb5.3 5.3.28+dfsg1-0.5
ii  libdbus-1-3  1.12.20-0+deb10u1
ii  libdbus-glib-1-2 0.110-4
ii  libgcrypt20  1.8.4-5+deb10u1
ii  libglib2.0-0 2.58.3-2+deb10u3
ii  libldap-2.4-22.4.47+dfsg-3+deb10u7
ii  libpam-modules   1.3.1-5
ii  libpam0g 1.3.1-5
ii  libtalloc2   2.1.14-2
ii  libtdb1  1.3.16-2+b1
ii  libtracker-sparql-2.0-0  2.1.8-2
ii  libwrap0 7.6.q-28
ii  lsb-base 10.2019051400
ii  netbase  5.6
ii  perl 5.28.1-6+deb10u1

Versions of packages netatalk recommends:
ii  avahi-daemon  0.7-4+deb10u1
ii  dbus  1.12.20-0+deb10u1
ii  lsof  4.91+dfsg-1
ii  procps2:3.3.15-2
ii  python3   3.7.3-1
ii  python3-dbus  1.2.8-3
ii  tracker   2.1.8-2

Versions of packages netatalk suggests:
pn  quota  

-- no debconf information

Bug#1051066: [Pkg-netatalk-devel] Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

2023-09-03 Thread Daniel Markstedt 
--- Original Message ---
On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard  
wrote:

> 
> This is one bugreport about multiple issues. That easily gets confusing
> to track, e.g. if some of the issues are solved and some are not, for a
> certain release of the package (and consequently a Debian release where
> that package release is included).
> 
> It is generally easier to track when instead filing one bugreport per
> issue.
> 

I can see how this is the preferred approach for a clean tracking of each 
security issue. In this case it gets a bit hairy since we have cases where one 
patch fixed multiple CVEs, and elsewhere multiple patches were required to fix 
regressions introduced by a CVE fix. It was a journey of >1 year to get to the 
present state.

> I tried lookup one of above CVEs inn the Debian security tracker:
> https://security-tracker.debian.org/tracker/CVE-2022-43634
> 
> It references an already filed bugreport about that issue, bug#1034170,
> which is tagged as found only as early as 3.1.14~ds-1. If earlier
> Debian package releases are also affected by that particular issue, then
> please update that bugreport to reflect that fact.
> 
> This bugreport is flagged as "archived" (which is done automatically
> after being done for a while, to reduce spam). Before doing other
> changes you therefore need to first unachive it.
> 
> E.g. something like this:
> 
> bts unarchive 1034170 . found 1034170 3.1.13~ds-1
> 

Will do, thanks for the command.

> The other CVEs seemingly have no related bugreport (from a quick look at
> the security tracker - but I suspect that database does not list
> bugreports not involving the security team at first, and only later
> mentioning a CVE if at all). If you don't happen to be aware of
> bugreports exisisting for those other issues, then I suggest to file new
> individual bugreports for each issue (also because it is easy to merge
> issues later as needed).
> 

That's a fairly big undertaking, especially if clean and atomic patches are 
required for each...

I was really hoping the batch approach would be accepted.

That said I can definitely create the individual bug tickets for starters and 
we can take it from there. Let me set aside some time next week for this.

> 
> Kind regards, and thanks a lot for looking into this,
> 
> - Jonas
> 

You're welcome! 

Daniel

Bug#1051103: netatalk: Unknown error: 211 from macOS when trying to mount in 3.1.15~ds-2 or later

2023-09-02 Thread Daniel Markstedt 
--- Original Message ---
On Saturday, September 2nd, 2023 at 12:18 PM, David Gilman 
 wrote:


>
>
> Package: netatalk
> Version: 3.1.15~ds-2
> Severity: important
> X-Debbugs-Cc: davidgilm...@gmail.com
>
> Dear Maintainer,
>
> After the update from 3.1.15~ds-1 to 3.1.15~ds-2 any attempt to mount an
> exported AFP share from macOS results in "Unknown error: 211" on the Mac
> side. This was not fixed in 3.1.15~ds-3.
>
> I was able to confirm the regression by downgrading from -3 to -2 to -1
> on the same setup to find that it was working on -1 and not -2.
>
> Note that my Debian side configuration is a bit of a monster, I am
> pinning netatalk from sid, but am otherwise on bookworm. The Mac is
> running macOS 13.5.1.
>
> I have attached some hopefully relevant system logs from the Mac.
>

Hi David,

Thank you for reporting the issue! I cannot reproduce the issue despite having 
the exact same environment (Bookworm pinned to Sid netatalk, macOS 13.5.1) so 
please help me work through a few troubleshooting steps.

Reading the changelog between ds-1 and ds-2, the only obvious functional 
difference is that we did away with the pam.d configuration override. I 
shouldn't have made a difference but you never know.

To understand what's happening on the netatalk side when macOS throws that 
error, would you be able to turn on debug level logs, and then capture syslog 
as the error is happening? That's the only sure way to know exactly what it 
gets hung on up.

For this purpose, please add or modify the log level line of the Global section 
of /etc/netatalk/afp.conf as per the below and then restart netatalk.

log level = default:debug

Also, it would be handy to know the contents of your /etc/netatalk/afp.conf and 
/etc/pam.d/netatalk files. Please scrub any private information as needed.

Sincerely,
Daniel

Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

2023-09-01 Thread Daniel Markstedt 
To add the justification for the critical severity of this ticket:
At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian 
system running non-patched netatalk.

CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121, 
CVE-2022-0194

Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

2023-09-01 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-8
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team 


Nine CVE security advisories were addressed in netatalk upstream
releases between 3.1.13 and 3.1.15. The full list is below:

CVE-2022-45188
CVE-2022-43634
CVE-2022-23125
CVE-2022-23124
CVE-2022-23123
CVE-2022-23122
CVE-2022-23121
CVE-2022-0194
CVE-2021-31439

Current status of patching these vulnerabilities:
- netatalk oldoldstable has already been patched by the Security Team.
- netatalk unstable has already been patched by the maintainer team.
- The netatalk package was excluded from stable, no action required.
- What remains is to patch oldstable, hence this ticket.

A debpatch has been attached to the related Release bug ticket,
where approval to proceed with an oldstable release has been requested.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

-- System Information:
Debian Release: 11.7
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages netatalk depends on:
ii  init-system-helpers  1.60
ii  libacl1  2.2.53-10
ii  libavahi-client3 0.8-5+deb11u2
ii  libavahi-common3 0.8-5+deb11u2
ii  libc62.31-13+deb11u6
ii  libcrack22.9.6-3.4
ii  libcrypt11:4.4.18-4
ii  libdb5.3 5.3.28+dfsg1-0.8
ii  libdbus-glib-1-2 0.110-6
ii  libevent-2.1-7   2.1.12-stable-1
ii  libgcrypt20  1.8.7-6
ii  libglib2.0-0 2.66.8-1
ii  libgssapi-krb5-2 1.18.3-6+deb11u3
ii  libkrb5-31.18.3-6+deb11u3
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  libmariadb3  1:10.5.19-0+deb11u2
ii  libpam-modules   1.4.0-9+deb11u1
ii  libpam0g 1.4.0-9+deb11u1
ii  libssl1.11.1.1n-0+deb11u4
ii  libtalloc2   2.3.1-2+b1
ii  libtdb1  1.4.3-1+b1
ii  libtracker-sparql-2.0-0  2.3.6-2
ii  libwrap0 7.6.q-31
ii  lsb-base 11.1.0
ii  netbase  6.3
ii  perl 5.32.1-4+deb11u2

Versions of packages netatalk recommends:
ii  avahi-daemon  0.8-5+deb11u2
ii  cracklib-runtime  2.9.6-3.4
ii  dbus  1.12.24-0+deb11u1
ii  lsof  4.93.2+dfsg-1.1
ii  procps2:3.3.17-5
ii  python3   3.9.2-3
ii  python3-dbus  1.2.16-5
ii  tracker   2.3.6-2

Versions of packages netatalk suggests:
pn  quota  

-- no debconf information

Bug#1049325: Increasing severity

2023-08-30 Thread Daniel Markstedt 
Control: severity -1 important
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net

Dear Debian Release Team,

Please allow me to raise the severity for this ticket.
The patches address 9 public CVE advisories, and I think it would be beneficial 
to Bullseye users to have a patched package.

As mentioned before, the exact same patchset has been applied to 
oldoldstable-security with help from the Security Team (special thanks to 
Markus Koschany!)

Would it be possible to get feedback on the proposed release?

For reference, here are the relevant netatalk bug tickets that I know of.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025011
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036740
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043504

Thank you!

Daniel

Bug#1043504: [Pkg-netatalk-devel] Bug#1043504: marked as done (Another regression fix for CVE-2022-23123)

2023-08-14 Thread Daniel Markstedt 
> -- Forwarded message --
> From: Markus Koschany 
> To: Daniel Markstedt 
> Cc: 1043504-d...@bugs.debian.org
> Bcc:
> Date: Sun, 13 Aug 2023 23:44:58 +0200
> Subject: Re: Bug#1043504: Another regression fix for CVE-2022-23123
> Version: 3.1.12~ds-3+deb10u3
>
> Am Freitag, dem 11.08.2023 um 22:45 -0700 schrieb Daniel Markstedt:
> > Package: netatalk
> > Version: 3.1.12~ds-3+deb10u2
> > X-Debbugs-Cc: t...@security.debian.org,debian-...@lists.debian.org
> >
> > Dear Debian Security team,
> >
> > Would you be able to help me get the following critical regression fix
> > into the Buster netatalk package?
>
> Hello Daniel,
>
> thank you for the report. I have just released DLA-3426-3 and believe this is
> fixed in 3.1.12~ds-3+deb10u3 now.
>
> Regards,
>
> Markus

Wonderful, thank you for the quick turnaround on the upload.
I updated to deb10u3 on by Buster system and ran a few tests.
It seems to work as expected!

As a side note, I filed a release request with the Release team last
night to get traction with patching the Bullseye package as well.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

I'm following the guidelines here so hopefully I'm on the right track. :)
https://lists.debian.org/debian-devel-announce/2019/08/msg0.html

Cheers,
Daniel

Bug#1025011: Release request filed

2023-08-13 Thread Daniel Markstedt 
For the record, I have filed a request with the Release Team now to
get the green light to upload Bullseye packages. See:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

Bug#1049325: bullseye-pu: netatalk/3.1.12~ds-8+deb11u1

2023-08-13 Thread Daniel Markstedt 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk

This is a batch of patches that resolves a number of CVE
vulnerabilities for netatalk, plus a number of regressions that were
subsequently fixed in upstream (indicated by part/regression patches).

They originate in upstream releases between 3.1.13 through 3.1.15.
With the exception of the very last regression fix
(CVE-2022-23123_part6.patch) they are all in the unstable netatalk
package.

CVE-2022-45188
CVE-2022-43634
CVE-2022-23125
CVE-2022-23124
CVE-2022-23123
CVE-2022-23122
CVE-2022-23121
CVE-2022-0194
CVE-2021-31439

For complete transparency: Please note that the patch for
CVE-2022-23123 also fixes CVE-2022-23122, CVE-2022-23124,
CVE-2022-0194, which is why the latter three don't have separate
patches.

The Security Team has already applied this exact patchset on
buster-security (3.1.12~ds-3+deb10u3), and instructed me to file this
release request against oldstable.

We have an active userbase that leverages netatalk for file sharing
with fleets of legacy Mac clients in production environments, so I
consider it prudent to keep oldstable up to date with security
patches.

Is this enough to make a case for uploading an update to oldstable?

Sincerely,
Daniel Markstedt


netatalk-3.1.12~ds-8+deb11u1.patch
Description: Binary data

Bug#1043504: Another regression fix for CVE-2022-23123

2023-08-13 Thread Daniel Markstedt 
My apologies, the previous patch had a fatal typo that I noticed when
running debuild.
This "-2" version should work properly.

On Sat, Aug 12, 2023 at 10:58 PM Daniel Markstedt  wrote:
>
> Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset.
> I followed the maintainers' documentation and used quilt, so hopefully
> it should be compliant!
> Please let me know if there's anything I should be doing differently here.
>
> Thanks!
> Daniel


CVE-2022-23123_part6-2.patch
Description: Binary data

Bug#1043504: Another regression fix for CVE-2022-23123

2023-08-13 Thread Daniel Markstedt 
Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset.
I followed the maintainers' documentation and used quilt, so hopefully
it should be compliant!
Please let me know if there's anything I should be doing differently here.

Thanks!
Daniel


CVE-2022-23123_part6.patch
Description: Binary data

Bug#1043504: Another regression fix for CVE-2022-23123

2023-08-11 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-3+deb10u2
X-Debbugs-Cc: t...@security.debian.org,debian-...@lists.debian.org

Dear Debian Security team,

Would you be able to help me get the following critical regression fix
into the Buster netatalk package?

The regression was introduced with the patch for CVE-2022-23123 and is
impacting a subset of users that have certain metadata in their shared
files. The issue leads to an unavoidable crash and renders netatalk
useless with their shared volumes.

Separately, it also contains a fix for saving MS Office files onto an
otherwise functioning shared volume.

This is the commit with the fix in question:
https://github.com/Netatalk/netatalk/commit/7dbde0ce704be7fbdb23e893e05cedced337350d

See this PR for discussion and links back to the user reported issue tickets:
https://github.com/Netatalk/netatalk/pull/178

See also Bug#1036740 for the previous batch of regression fixes for
the same CVE.

Thank you!

Bug#1040065: [Pkg-netatalk-devel] Bug#1040065: afpd: systemd-logind ReleaseSession rejected by dbus-daemon

2023-07-01 Thread Daniel Markstedt 
On Sat, Jul 1, 2023 at 3:27 PM Richard van den Berg  wrote:
>
> Package: netatalk
> Version: 3.1.12~ds-8
> Severity: normal
> Tags: patch
>
> I am using netatalk for time machine backups. After every session I see this
> line in /var/log/auth.log
>
> 2023-07-01T22:31:47.223949+02:00 my-server dbus-daemon[1538889]: [system] 
> Rejected send message, 2 matched rules; type="method_call", 
> sender=":1.153636" (uid=145 pid=2690475 comm="/usr/sbin/afpd -d -F 
> /etc/netatalk/afp.conf") interface="org.freedesktop.login1.Manager" 
> member="ReleaseSession" error name="(unset)" requested_reply="0" 
> destination="org.freedesktop.login1" (uid=0 pid=1538900 
> comm="/lib/systemd/systemd-logind")
>
> Today I finally found the solution at 
> https://bugs.launchpad.net/ubuntu/+source/netatalk/+bug/1538004
>
> It is simple really, in /etc/pam.d/netatalk replace this line:
>
> @include common-session
>
> with this line:
>
> @include common-session-noninteractive
>

Hi Richard,

Thanks for reporting and tracking down the fix.
Do I understand correctly that the fix is confirmed to resolve the
issue for you?

Now, /etc/pam.d/netatalk is obviously a generated file, so for a
persistent fix the file that needs to change is macros/pam-check.m4
I think this should ideally be fixed upstream, so if you have a moment
to spare it'd be helpful if you filed an issue ticket at
https://github.com/Netatalk/netatalk/issues

Best,
Daniel

Bug#1038421: Fix for CVE-2022-45188

2023-06-17 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.15~ds-1
X-Debbugs-Cc: pkg-netatalk-de...@lists.alioth.debian.org

This bug is to record that the fix for CVE-2022-45188 has already been
included with netatalk 3.1.15~ds-1.

It is still flagged as unresolved for bookworm, which is not correct.

See https://github.com/Netatalk/netatalk/releases/tag/netatalk-3-1-15
for the changelog.

Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

2023-06-04 Thread Daniel Markstedt 
On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard  wrote:
>
> Quoting Salvatore Bonaccorso (2023-06-04 07:39:12)
> > Hi Daniel,
> >
> > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote:
> > > > -- Forwarded message --
> > > > From: Markus Koschany 
> > > > To: Daniel Markstedt , 1036740-d...@bugs.debian.org
> > > > Cc: debian-...@lists.debian.org
> > > > Bcc:
> > > > Date: Thu, 01 Jun 2023 19:54:55 +0200
> > > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault 
> > > > with valid metadata
> > > > Version:  3.1.12~ds-3+deb10u2
> > > >
> > > > Thanks for your report and the detailed replies. I could reproduce the 
> > > > problem
> > > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. 
> > > > After
> > > > applying a new patch to fix it, the AppleDouble v2 format seems to work 
> > > > as
> > > > intended again. I'm going to close this bug report now.
> > > >
> > > > Best,
> > > >
> > > > Markus
> > > >
> > >
> > > Thank you Markus for narrowing down the problem and fixing it!
> > > I can confirm that appledouble=v2 works in my environment now too.
> > >
> > > So this covers the outstanding CVEs for oldstable now;
> > > are you already preparing to port the same patchset to stable as well?
> > >
> > > I can file another bug report if it helps.
> >
> > No other reports needed, since all were reported. For the bookworm
> > release they would be fixed, for the current stable (bullseye) we
> > explicitly asked the maintainer trough
> > https://bugs.debian.org/1025011#15 . So we are waiting for the
> > netatalk maintainers to propose an update here for bullseye-security.
>
> @Salvatore: In addition to being upstream developer, Daniel has also
> joined the Debian packaging team.
>

Salvatore, I left a comment over at that bug. It should be easy to
accomplish if I can learn how to contribute patches to security
releases.

> @Daniel: Debian issue tracker - debbugs - can be confusing from an
> upstream POV, due to it being distro-centric: Some issues are not about
> upstream code but "meta" about distro organization - e.g. bug#1025011
> which is not about netatalk but about *attention* for netatalk and
> therefore open despite netatalk itself has no bugs. Also, issues tied to
> upstream projects is tracked across multiple Debian releases, so can be
> both fixed and unfixed depending on release scope.
>
> What is double confusing here is that no bugreport exists in Debian for
> tracking CVE-2022-23123 - bug#1036740 filed by you is about collateral
> damage in fixing that CVE for oldstable, and bug#1025011 is about
> meta-discussion only indirectly involving that same CVE.
>
> All in all: Yes, please file a bugreport about CVE-2022-23123 - and then
> tag it as closed with package release 3.1.15~ds-1, which makes that
> bugreport "fixed" for the scope of Debian testing and unstable, but
> unfixed for the scope of Debian stabel.
>
>
> Hope that helps.
>
>  - Jonas
>

Jonas, definitely a helpful summary, thanks!

However, I assume you mean CVE-2022-45188 for bookworm regarding
filing a bug to resolve an already resolved CVE?
This one was fixed with 3.1.15 but due to a typo in the commit message
was left as unresolved, if I'm not mistaken.

As far as I can tell, CVE-2022-23123 is already properly flagged as
resolved both for bookworm and sid.

Please let me know if there's something I overlooked here!

Best,
Daniel

Bug#1025011: [Pkg-netatalk-devel] Bug#1025011: fixed in netatalk 3.1.15~ds-1

2023-06-04 Thread Daniel Markstedt 
On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff  wrote:
> [...]
> It's nice that there's renewed interest, but this involves also taking
> care of netatalk in stable, there's a range of issues (full list at
> https://security-tracker.debian.org/tracker/source-package/netatalk)
> which need to be backported to bullseye-security.
>
> I'm reopening the bug, it can be closed with the respective upload
> to bullseye-security.
>
> Cheers,
> Moritz
>

Since both buster and bullseye use the same base version of netatalk
(3.1.12) the work required here should be straight-forward: Simply
bring over the CVE patchset that were applied to buster-security.

A snippet from `apt source netatalk` on buster:
[...]
dpkg-source: info: applying CVE-2022-45188.patch
dpkg-source: info: applying CVE-2022-43634.patch
dpkg-source: info: applying CVE-2022-23125.patch
dpkg-source: info: applying CVE-2022-23121.patch
dpkg-source: info: applying CVE-2021-31439.patch
dpkg-source: info: applying CVE-2022-23123_part1.patch
dpkg-source: info: applying CVE-2022-23123_part2.patch
dpkg-source: info: applying CVE-2022-23123_part3.patch
dpkg-source: info: applying CVE-2022-23123_part4.patch
dpkg-source: info: applying CVE-2022-23123_part5.patch
dpkg-source: info: applying CVE-2022-23121_regression.patch

The only real difference between buster and bullseye netatalk 3.1.12
is that the latter have a few extra backported crashfixes etc. I had a
quick look and concluded that they shouldn't interfere with the CVE
patches.

I'd be happy to try to achieve the "upload to bullseye-security" if
you all can give me some pointers. This is all new to me.

Best regards,
Daniel

Bug#1036740: closed by Markus Koschany (Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata)

2023-06-03 Thread Daniel Markstedt 
> -- Forwarded message --
> From: Markus Koschany 
> To: Daniel Markstedt , 1036740-d...@bugs.debian.org
> Cc: debian-...@lists.debian.org
> Bcc:
> Date: Thu, 01 Jun 2023 19:54:55 +0200
> Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with 
> valid metadata
> Version:  3.1.12~ds-3+deb10u2
>
> Thanks for your report and the detailed replies. I could reproduce the problem
> and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
> applying a new patch to fix it, the AppleDouble v2 format seems to work as
> intended again. I'm going to close this bug report now.
>
> Best,
>
> Markus
>

Thank you Markus for narrowing down the problem and fixing it!
I can confirm that appledouble=v2 works in my environment now too.

So this covers the outstanding CVEs for oldstable now;
are you already preparing to port the same patchset to stable as well?

I can file another bug report if it helps.

Best,
Daniel

Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

2023-05-26 Thread Daniel Markstedt 
On Fri, May 26, 2023 at 1:15 PM Markus Koschany  wrote:
>
> Could you tell me which exact commands were used, so that I can try to
> reproduce the problem?
>

Do by any chance have access to a Mac of any vintage?
It could be a brand new machine running the latest macOS or a classic
Mac from the 90s running at least System Software 7.1

The problem occurs when the AFP client attempts to create the Mac file
system metadata (aka resource forks on Classic Mac OS, or extended
attributes on OSX.)

Netatalk should be configured something like this:

dmark@buster:~$ cat /etc/netatalk/afp.conf
[Global]
zeroconf name = Buster
uam list = uams_clrtxt.so uams_dhx2.so

[Homes]
basedir regex = /home
appledouble = v2

After authenticating with the netatalk server on the Mac, attempt to
copy any file to the shared volume.
You should get an instant error -50 in Mac OS, and see the
aforementioned errors in the logs.

Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

2023-05-25 Thread Daniel Markstedt 
On Thu, May 25, 2023 at 3:39 AM Markus Koschany  wrote:
>
> Hello Daniel,
>
> Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso:
> > >
> > > These two commits in upstream addressed this:
> > > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> > > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98
>
> Both patches have been backported to Buster. You can find them as CVE-2022-
> 23123_part3.patch and CVE-2022-23123_part4.patch.
>
> Did we miss something else?
>
> Regards,
>
> Markus

Salvatore, Markus,

Thank you very much for taking swift action on this!
Please forgive my ignorance here, but are these patches active already
if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster?
Or do they have to be picked up by some build process that hasn't run yet?

I'm asking because I ran a few tests now and while EA metadata works,
the appledouble v2 metadata functionality is definitely broken, even
when you create a new shared volume from scratch.

dmark@buster:~$ apt show netatalk
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
...
May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path,
ad, pst) failed: Input/output error
May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23
at 10.36.39 AM.png): bad resource fork
May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182, len: 8
May 25 18:51:08 buster afpd[7415]:
ad_header_read(/home/dmark/afp-data): malformed AppleDouble

So either more patches have to be cherry-picked or I need to be patient. :)

Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

2023-05-24 Thread Daniel Markstedt 
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: t...@security.debian.org

The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.

These two commits in upstream addressed this:
https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98

For the full discussion see this PR:
https://github.com/Netatalk/netatalk/pull/174

I would recommend accepting these patches into oldstable, as well as
stable once the CVE patches get ported there too.

Bug#1032236: ITP: netatalk2 -- File server for Macintosh and Apple II clients

2023-03-01 Thread Daniel Markstedt 
Package: wnpp
Severity: wishlist
Owner: Daniel Markstedt 
X-Debbugs-Cc: debian-de...@lists.debian.org, markst...@gmail.com

* Package name: netatalk2
  Version : 2.2.8
  Upstream Author : The Netatalk Team 
* URL : https://netatalk.sourceforge.io
* License : GPL 2.0
  Programming Lang: C
  Description : File server for Macintosh and Apple II clients

Netatalk 2 is a file server for Macintosh and Apple II clients which
implements the Apple Filing Protocol (AFP) with support for TCP (DSI)
and AppleTalk (DDP) networking layers.

It also supplies a PAP compliant printer server (papd), a time server
(timelord), and an Apple II netboot server (a2boot). In addition, a
suite of tools for classic Mac file formats, AppleTalk networking, and
PostScript printing is included.

Unlike Netatalk 3, it retains the AppleTalk network layer, which allows
it to server as a bridge between older Mac and Apple II clients, with
the latest macOS clients.

I intend to leverage the existing pkg-netatalk-devel team for
maintaining the package, including volunteering my own effort.