Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net On Wednesday, February 21st, 2024 at 4:56 PM, Jonathan Wiltshire wrote: > > > You should be targetting `bullseye` in the most recent changelog; with that > fixed, please go ahead. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Thanks for reviewing the debdiff. Here is a rev2 version that targets bullseye in the latest changelog. Please confirm that this is what you meant. (It's the first time I go through this process so want to make sure I don't make obvious mistakes.) If it looks good, I will arrange for this to get uploaded. Best, Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tag -1 confirmed On Sun, Feb 11, 2024 at 12:29:09AM +, Daniel Markstedt wrote: > Please find a debdiff attached here. Is this adequate for doing the security > release? > > Thank you! > > Daniel > diff -Nru netatalk-3.1.12~ds/debian/changelog > netatalk-3.1.12~ds/debian/changelog > --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 > + > +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 > + > @@ -1,3 +1,10 @@ > +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high > + > + * Fix CVE-2022-22995. Harden create_appledesktop_folder. > +closes: bug#1060773 > + > + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + > + You should be targetting `bullseye` in the most recent changelog; with that fixed, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tag -1 confirmed Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Added tag(s) confirmed. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 - moreinfo On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire wrote: > > > Hi, > > On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > > > 2024年1月16日 (火) 02:53, Adam D. Barratt > > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt > > < 送信: > > > > > Control: tags -1 + moreinfo > > > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > > > > > > > CVE-2022-22995 > > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > > > > > > > The attached patch can be applied to Debian oldstable to address the > > > > vulnerability. > > > > > > In order to approve an upload, we need to see a full source debdiff of > > > the proposed new package, not just the isolated patch. Please remove > > > the moreinfo tag when providing that. > > > > Adam, thanks for following up on this request. > > I will work on a debdiff when I’m back home this coming weekend. > > Right now I’m working offsite without access to a personal computer. > > > Ping? It's now too late for 11.9 but your request can be considered for > 11.10 if you send a debdiff. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 Jonathan, Please find a debdiff attached here. Is this adequate for doing the security release? Thank you! Danieldiff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog --- netatalk-3.1.12~ds/debian/changelog 2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/changelog 2024-02-10 23:49:31.0 + @@ -1,3 +1,10 @@ +netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high + + * Fix CVE-2022-22995. Harden create_appledesktop_folder. +closes: bug#1060773 + + -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 + + netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch --- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 1970-01-01 00:00:00.0 + +++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch 2024-02-10 23:40:03.0 + @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series --- netatalk-3.1.12~ds/debian/patches/series2023-09-20 05:19:20.0 + +++ netatalk-3.1.12~ds/debian/patches/series2024-02-10 23:40:03.0 + @@ -28,3 +28,4 @@ CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tags -1 - moreinfo Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Removed tag(s) moreinfo. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Hi, On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote: > 2024年1月16日 (火) 02:53, Adam D. Barratt > <[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < href=)> 送信: > > > Control: tags -1 + moreinfo > > > > On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > >> CVE-2022-22995 > >> Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > >> > >> The attached patch can be applied to Debian oldstable to address the > >> vulnerability. > >> > > > > In order to approve an upload, we need to see a full source debdiff of > > the proposed new package, not just the isolated patch. Please remove > > the moreinfo tag when providing that. > > Adam, thanks for following up on this request. > I will work on a debdiff when I’m back home this coming weekend. > Right now I’m working offsite without access to a personal computer. Ping? It's now too late for 11.9 but your request can be considered for 11.10 if you send a debdiff. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Processing control commands: > tags -1 + moreinfo Bug #1060774 [release.debian.org] bullseye-pu: netatalk/3.1.12~ds-8+deb11u2 Added tag(s) moreinfo. -- 1060774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Control: tags -1 + moreinfo On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote: > CVE-2022-22995 > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php > > The attached patch can be applied to Debian oldstable to address the > vulnerability. > In order to approve an upload, we need to see a full source debdiff of the proposed new package, not just the isolated patch. Please remove the moreinfo tag when providing that. > I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds- > 8+deb11u2 I'm not entirely sure what you mean by an "out-of-release-cycle upload" here. Regards, Adam
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995 Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php The attached patch can be applied to Debian oldstable to address the vulnerability. I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2 Sincerely, Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Sun, 14 Jan 2024 14:26:19 +0900 Subject: [PATCH] Netatalk CVE-2022-22995 patch --- debian/patches/CVE-2022-22995.patch | 63 + debian/patches/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 debian/patches/CVE-2022-22995.patch diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch new file mode 100644 index ..63101426 --- /dev/null +++ b/debian/patches/CVE-2022-22995.patch @@ -0,0 +1,63 @@ +Description: CVE-2022-22995 +Author: Daniel Markstedt +Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/etc/afpd/desktop.c b/etc/afpd/desktop.c +@@ -12,8 +12,10 @@ + #endif /* HAVE_CONFIG_H */ + + #include ++#include + #include + #include ++#include + + #include + +@@ -212,7 +214,6 @@ + { + bstring olddtpath = NULL, dtpath = NULL; + struct stat st; +-char *cmd_argv[4]; + + olddtpath = bfromcstr(vol->v_path); + bcatcstr(olddtpath, "/" APPLEDESKTOP); +@@ -220,27 +221,24 @@ + dtpath = bfromcstr(vol->v_dbpath); + bcatcstr(dtpath, "/" APPLEDESKTOP); + +-if (lstat(cfrombstr(dtpath), ) != 0) { +- +-become_root(); ++become_root(); + +-if (lstat(cfrombstr(olddtpath), ) == 0) { +-cmd_argv[0] = "mv"; +-cmd_argv[1] = bdata(olddtpath); +-cmd_argv[2] = bdata(dtpath); +-cmd_argv[3] = NULL; +-if (run_cmd("mv", cmd_argv) != 0) { +-LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed", ++if (lstat(cfrombstr(dtpath), ) != 0) { ++if ((lstat(cfrombstr(olddtpath), ) == 0) && (S_ISDIR(st.st_mode) != 0)) { ++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) { ++LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"", + bdata(olddtpath), bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } + } else { ++LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"", ++bdata(dtpath)); + mkdir(cfrombstr(dtpath), 0777); + } +- +-unbecome_root(); + } + ++unbecome_root(); ++ + bdestroy(dtpath); + bdestroy(olddtpath); + } diff --git a/debian/patches/series b/debian/patches/series index 3f69b779..70f4bce8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch CVE-2022-23121_regression.patch CVE-2022-23123_part6.patch CVE-2023-42464.patch +CVE-2022-22995.patch -- 2.39.2