Package: release.debian.org Severity: important Tags: trixie User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-netatalk-devel@alioth-lists.debian.net Hi release team, I am proposing a trixie package update for netatalk. This is for fixing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111652 At least two users are blocked from using the trixie netatalk package, and many more are likely affected because authentication through ActiveDirectory or any centralized identity management using PAM is broken. Attaching a debdiff that can be applied to netatalk/4.2.3~ds-1
diff --git a/debian/changelog b/debian/changelog
index e22bd2216..5a343dbe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+netatalk (4.2.3~ds-1+deb13u1) trixie; urgency=high
+
+ [ Daniel Markstedt ]
+ * add patch that fixes critical bug in uam module;
+ closes: bug#1111652, thanks to Stefan van Lieshout and
+ Hector Rulot
+
+ -- Daniel Markstedt <daniel@mindani.net> Sun, 05 Oct 2025 21:11:55 +0000
+
netatalk (4.2.3~ds-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/001_uams_non_reentrant.patch b/debian/patches/001_uams_non_reentrant.patch
new file mode 100644
index 000000000..b64c01704
--- /dev/null
+++ b/debian/patches/001_uams_non_reentrant.patch
@@ -0,0 +1,74 @@
+Description: Revert to non-reentrant getpwnam() in the uam module
+ Since afpd isn't a threading application,
+ there is no pressing need to use the reentrant-safe way
+ to fetch the passwd entry in uam_getname().
+ The reverted solution
had flaws
+ that led to a critical failure
+ when attempting to authenticate
+ in a complex ActiveDirectory environment.
+Author: Daniel Markstedt <daniel@mindani.net>
+Bug: https://github.com/Netatalk/netatalk/issues/2402
+Last-Update: 2025-09-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/uam.c
++++ b/etc/afpd/uam.c
+@@ -193,7 +193,6 @@
+ {
+ AFPObj *obj = private;
+ struct passwd *pwent = NULL;
+- struct passwd pwent_buf;
+ static char username[256];
+ static char user[256];
+ static char pwname[256];
+@@ -201,23 +200,13 @@
+ size_t namelen;
+ size_t gecoslen = 0;
+ size_t pwnamelen = 0;
+-
+- long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+- if (bufsize == -1) {
+- bufsize = 16384;
+- }
+- char *buffer = malloc(bufsize);
+- if (buffer == NULL) {
+- free(buffer);
+- return NULL;
+- }
+-
+ #ifdef HAVE_GETPWNAM_SHADOW
+- if (pwent =
getpwnam_shadow(name)) {
++ pwent = getpwnam_shadow(name);
+ #else
+- if (getpwnam_r(name, &pwent_buf, buffer, sizeof(buffer), &pwent) == 0 && pwent != NULL) {
+- free(buffer);
++ pwent = getpwnam(name);
+ #endif
++
++ if (pwent) {
+ return pwent;
+ }
+
+@@ -231,7 +220,7 @@
+
+ if (bdata(princ) != NULL) {
+ const char *bdatum = bdata(princ);
+- getpwnam_r(bdatum, &pwent_buf, buffer, sizeof(buffer), &pwent);
++ pwent = getpwnam(bdatum);
+ }
+ bdestroy(princ);
+
+@@ -242,13 +231,10 @@
+ } else {
+ LOG(log_error, logtype_uams, "The name '%s' is longer than %d", pwent->pw_name, MAXUSERLEN);
+ }
+- free(buffer);
+ return pwent;
+ }
+ }
+
+- free(buffer);
+-
+ namelen = convert_string((utf8_encoding(obj))?CH_UTF8_MAC:obj->options.maccharset,
+ CH_UCS2, name,
-1, username, sizeof(username));
+ if (namelen == -1)
diff --git a/debian/patches/series b/debian/patches/series
index cb6afea6c..5e10942dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+001_uams_non_reentrant.patch
202_privacy.patch
Attachment:
publickey - Daniel Markstedt - 0x3C47642E.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature