[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2

Control: tags -1 - moreinfo

On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire <jmw@debian.org> wrote:

> 
> 
> Hi,
> 
> On Tue, Jan 16, 2024 at 08:30:52AM +0000, Daniel Markstedt wrote:
> 
> > 2024年1月16日 (火) 02:53, Adam D. Barratt <[adam@adam-barratt.org.uk](mailto:2024年1月16日; (火) 02:53, Adam D. Barratt <<a href=)> 送信:
> > 
> > > Control: tags -1 + moreinfo
> > > 
> > > On Sun, 2024-01-14 at 06:23 +0000, Daniel Markstedt wrote:
> > > 
> > > > CVE-2022-22995
> > > > Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
> > > > 
> > > > The attached patch can be applied to Debian oldstable to address the
> > > > vulnerability.
> > > 
> > > In order to approve an upload, we need to see a full source debdiff of
> > > the proposed new package, not just the isolated patch. Please remove
> > > the moreinfo tag when providing that.
> > 
> > Adam, thanks for following up on this request.
> > I will work on a debdiff when I’m back home this coming weekend.
> > Right now I’m working offsite without access to a personal computer.
> 
> 
> Ping? It's now too late for 11.9 but your request can be considered for
> 11.10 if you send a debdiff.
> 
> Thanks,
> 
> --
> Jonathan Wiltshire jmw@debian.org
> Debian Developer http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Jonathan,

Please find a debdiff attached here. Is this adequate for doing the security release?

Thank you!

Daniel
diff -Nru netatalk-3.1.12~ds/debian/changelog netatalk-3.1.12~ds/debian/changelog
--- netatalk-3.1.12~ds/debian/changelog	2023-09-20 05:19:20.000000000 +0000
+++ netatalk-3.1.12~ds/debian/changelog	2024-02-10 23:49:31.000000000 +0000
@@ -1,3 +1,10 @@
+netatalk (3.1.12~ds-8+deb11u2) bullseye-security; urgency=high
+
+  * Fix CVE-2022-22995. Harden create_appledesktop_folder.
+    closes: bug#1060773
+
+ -- Daniel Markstedt <daniel@mindani.net>  Sat, 10 Feb 2024 23:49:31 +0000
+
 netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
 
   * Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch
--- netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch	1970-01-01 00:00:00.000000000 +0000
+++ netatalk-3.1.12~ds/debian/patches/CVE-2022-22995.patch	2024-02-10 23:40:03.000000000 +0000
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt <daniel@mindani.net>
+Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
++++ b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+ 
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <sys/stat.h>
+ 
+ #include <errno.h>
+ 
+@@ -212,7 +214,6 @@
+ {
+     bstring olddtpath = NULL, dtpath = NULL;
+     struct stat st;
+-    char *cmd_argv[4];
+ 
+     olddtpath = bfromcstr(vol->v_path);
+     bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+     dtpath = bfromcstr(vol->v_dbpath);
+     bcatcstr(dtpath, "/" APPLEDESKTOP);
+ 
+-    if (lstat(cfrombstr(dtpath), &st) != 0) {
+-
+-        become_root();
++    become_root();
+ 
+-        if (lstat(cfrombstr(olddtpath), &st) == 0) {
+-            cmd_argv[0] = "mv";
+-            cmd_argv[1] = bdata(olddtpath);
+-            cmd_argv[2] = bdata(dtpath);
+-            cmd_argv[3] = NULL;
+-            if (run_cmd("mv", cmd_argv) != 0) {
+-                LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed",
++    if (lstat(cfrombstr(dtpath), &st) != 0) {
++        if ((lstat(cfrombstr(olddtpath), &st) == 0) && (S_ISDIR(st.st_mode) != 0)) {
++	    if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++                LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"",
+                     bdata(olddtpath), bdata(dtpath));
+                 mkdir(cfrombstr(dtpath), 0777);
+             }
+         } else {
++            LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"",
++                bdata(dtpath));
+             mkdir(cfrombstr(dtpath), 0777);
+         }
+-
+-        unbecome_root();
+     }
+ 
++    unbecome_root();
++
+     bdestroy(dtpath);
+     bdestroy(olddtpath);
+ }
diff -Nru netatalk-3.1.12~ds/debian/patches/series netatalk-3.1.12~ds/debian/patches/series
--- netatalk-3.1.12~ds/debian/patches/series	2023-09-20 05:19:20.000000000 +0000
+++ netatalk-3.1.12~ds/debian/patches/series	2024-02-10 23:40:03.000000000 +0000
@@ -28,3 +28,4 @@
 CVE-2022-23121_regression.patch
 CVE-2022-23123_part6.patch
 CVE-2023-42464.patch
+CVE-2022-22995.patch
Reply to: