Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk
Upstream netatalk has patched a CVE security vulnerability; CVE-2022-22995
Ref. advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
The attached patch can be applied to Debian oldstable to address the
vulnerability.
I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2
Sincerely,
Daniel Markstedt
From 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <dan...@mindani.net>
Date: Sun, 14 Jan 2024 14:26:19 +0900
Subject: [PATCH] Netatalk CVE-2022-22995 patch
---
debian/patches/CVE-2022-22995.patch | 63 +++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 64 insertions(+)
create mode 100644 debian/patches/CVE-2022-22995.patch
diff --git a/debian/patches/CVE-2022-22995.patch b/debian/patches/CVE-2022-22995.patch
new file mode 100644
index 00000000..63101426
--- /dev/null
+++ b/debian/patches/CVE-2022-22995.patch
@@ -0,0 +1,63 @@
+Description: CVE-2022-22995
+Author: Daniel Markstedt <dan...@mindani.net>
+Origin: https://github.com/Netatalk/netatalk/commit/9eb6d9d0ac17dca210ccbf05476a925a6b379dfb.diff
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/desktop.c
++++ b/etc/afpd/desktop.c
+@@ -12,8 +12,10 @@
+ #endif /* HAVE_CONFIG_H */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <sys/stat.h>
+
+ #include <errno.h>
+
+@@ -212,7 +214,6 @@
+ {
+ bstring olddtpath = NULL, dtpath = NULL;
+ struct stat st;
+- char *cmd_argv[4];
+
+ olddtpath = bfromcstr(vol->v_path);
+ bcatcstr(olddtpath, "/" APPLEDESKTOP);
+@@ -220,27 +221,24 @@
+ dtpath = bfromcstr(vol->v_dbpath);
+ bcatcstr(dtpath, "/" APPLEDESKTOP);
+
+- if (lstat(cfrombstr(dtpath), &st) != 0) {
+-
+- become_root();
++ become_root();
+
+- if (lstat(cfrombstr(olddtpath), &st) == 0) {
+- cmd_argv[0] = "mv";
+- cmd_argv[1] = bdata(olddtpath);
+- cmd_argv[2] = bdata(dtpath);
+- cmd_argv[3] = NULL;
+- if (run_cmd("mv", cmd_argv) != 0) {
+- LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" to \"%s\" failed",
++ if (lstat(cfrombstr(dtpath), &st) != 0) {
++ if ((lstat(cfrombstr(olddtpath), &st) == 0) && (S_ISDIR(st.st_mode) != 0)) {
++ if (rename(bdata(olddtpath), bdata(dtpath)) != 0) {
++ LOG(log_error, logtype_afpd, "moving .AppleDesktop from \"%s\" failed; creating new dir \"%s\"",
+ bdata(olddtpath), bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+ } else {
++ LOG(log_debug, logtype_afpd, "no valid .AppleDesktop dir found; creating new dir \"%s\"",
++ bdata(dtpath));
+ mkdir(cfrombstr(dtpath), 0777);
+ }
+-
+- unbecome_root();
+ }
+
++ unbecome_root();
++
+ bdestroy(dtpath);
+ bdestroy(olddtpath);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3f69b779..70f4bce8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ CVE-2022-23123_part5.patch
CVE-2022-23121_regression.patch
CVE-2022-23123_part6.patch
CVE-2023-42464.patch
+CVE-2022-22995.patch
--
2.39.2
