Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net
On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire
wrote:
>
>
> You should be targetting `bullseye` in the most recent changelog; with that
> fixed, please go ahead.
>
> Thanks,
>
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Jonathan,
Thanks for reviewing the debdiff.
Here is a rev2 version that targets bullseye in the latest changelog. Please
confirm that this is what you meant. (It's the first time I go through this
process so want to make sure I don't make obvious mistakes.)
If it looks good, I will arrange for this to get uploaded.
Best,
Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog
netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 +
+++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 +
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high
+
+ * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+closes: bug#1060773
+
+ -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 +
+
netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
* Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01
00:00:00.0 +
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10
23:40:03.0 +
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt
+Origin:
https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include
++#include
+ #include
+ #include
++#include
+
+ #include
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode)
!= 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found;
creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series
netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0
+
+++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0
+
@@ -28,3 +28,4 @@
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tag -1 confirmed On Sun, Feb 11, 2024 at 12:29:09AM +, Daniel Markstedt wrote: > Please find a debdiff attached here. Is this adequate for doing the security > release? > > Thank you! > > Daniel > diff -Nru netatalk-3.1.12~ds/debian/changelog > netatalk-3.1.12~ds/debian/changelog > --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 > + > +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 > + > @@ -1,3 +1,10 @@ > +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high > + > + * Fix CVE-2022-22995. Harden create_appledesktop_folder. > +closes: bug#1060773 > + > + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + > + You should be targetting `bullseye` in the most recent changelog; with that fixed, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tag -1 confirmed Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Added tag(s) confirmed. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 - moreinfo
On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire
wrote:
>
>
> Hi,
>
> On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote:
>
> > 2024年1月16日 (火) 02:53, Adam D. Barratt
> > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt
> > < 送信:
> >
> > > Control: tags -1 + moreinfo
> > >
> > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote:
> > >
> > > > CVE-2022-22995
> > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
> > > >
> > > > The attached patch can be applied to Debian oldstable to address the
> > > > vulnerability.
> > >
> > > In order to approve an upload, we need to see a full source debdiff of
> > > the proposed new package, not just the isolated patch. Please remove
> > > the moreinfo tag when providing that.
> >
> > Adam, thanks for following up on this request.
> > I will work on a debdiff when I’m back home this coming weekend.
> > Right now I’m working offsite without access to a personal computer.
>
>
> Ping? It's now too late for 11.9 but your request can be considered for
> 11.10 if you send a debdiff.
>
> Thanks,
>
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Jonathan,
Please find a debdiff attached here. Is this adequate for doing the security
release?
Thank you!
Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog
netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 +
+++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 +
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high
+
+ * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+closes: bug#1060773
+
+ -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 +
+
netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
* Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01
00:00:00.0 +
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10
23:40:03.0 +
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt
+Origin:
https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include
++#include
+ #include
+ #include
++#include
+
+ #include
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode)
!= 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from
\"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found;
creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series
netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0
+
+++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0
+
@@ -28,3 +28,4 @@
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tags -1 - moreinfo Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Removed tag(s) moreinfo. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Hi, On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > 2024年1月16日 (火) 02:53, Adam D. Barratt > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < href=)> 送信: > > > Control: tags -1 + moreinfo > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > >> CVE-2022-22995 > >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > >> > >> The attached patch can be applied to Debian oldstable to address the > >> vulnerability. > >> > > > > In order to approve an upload, we need to see a full source debdiff of > > the proposed new package, not just the isolated patch. Please remove > > the moreinfo tag when providing that. > > Adam, thanks for following up on this request. > I will work on a debdiff when I’m back home this coming weekend. > Right now I’m working offsite without access to a personal computer. Ping? It's now too late for 11.9 but your request can be considered for 11.10 if you send a debdiff. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tags -1 + moreinfo Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Added tag(s) moreinfo. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 + moreinfo On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > CVE-2022-22995 > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > The attached patch can be applied to Debian oldstable to address the > vulnerability. > In order to approve an upload, we need to see a full source debdiff of the proposed new package, not just the isolated patch. Please remove the moreinfo tag when providing that. > I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds- > 8+deb11u2 I'm not entirely sure what you mean by an "out-of-release-cycle upload" here. Regards, Adam
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk
Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995
Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
The attached patch can be applied to Debian oldstable to address the
vulnerability.
I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2
Sincerely,
Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt
Date: Sun, 14 Jan 2024 14:26:19 +0900
Subject: [PATCH] Netatalk CVE-2022-22995 patch
---
debian/patches/CVE-2022-22995.patch | 63 +
debian/patches/series | 1 +
2 files changed, 64 insertions(+)
create mode 100644 debian/patches/CVE-2022-22995.patch
diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch
new file mode 100644
index ..63101426
--- /dev/null
+++ b/debian/patches/CVE-2022-22995.patch
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt
+Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include
++#include
+ #include
+ #include
++#include
+
+ #include
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+-char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+-if (lstat(cfrombstr(dtpath), ) != 0) {
+-
+-become_root();
++become_root();
+
+-if (lstat(cfrombstr(olddtpath), ) == 0) {
+-cmd_argv[0] = "mv";
+-cmd_argv[1] = bdata(olddtpath);
+-cmd_argv[2] = bdata(dtpath);
+-cmd_argv[3] = NULL;
+-if (run_cmd("mv", cmd_argv) != 0) {
+-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed",
++if (lstat(cfrombstr(dtpath), ) != 0) {
++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"",
++bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+-unbecome_root();
+ }
+
++unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3f69b779..70f4bce8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
--
2.39.2
