[From nobody Mon Jun  1 21:27:09 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 18:24:52 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 95; neutral, 19; spammy, 1.
 spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*ct:pgp-sha256, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*ct:application,
 0.000-+--H*ct:protocol
Return-path: <daniel@mindani.net>
Received: from mail-244117.protonmail.ch ([109.224.244.117]:61433)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from <daniel@mindani.net>) id 1wTkqC-005GNp-1k
 for submit@bugs.debian.org; Sun, 31 May 2026 18:24:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindani.net;
 s=protonmail3; t=1780251888; x=1780511088;
 bh=ikuZ1XHjCRMJVYy8agSo/8ZfEqTz2oMLJLDR299vw+w=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=P6feYoEOFo+/qxEM/sUZ+TQPMNxhF+GFyoP69gi3V5eGGXwoTmqNCO/Tc3GIp1v9m
 MoxlfcU81x0WMCWj7xm36SCVQ9ycuqMdRfXryPc5y6aJDp08+UcDMcplFrxSj6u/Kh
 KlR9wXd4ZIMfYVrxiKGbBKfYHXwlU7deTrxzTUQtrQ0qdm851ux6Xj4LItA8VqKOOJ
 51argzpeuZgH73eiqlUQqwspCEemGdL+foe60fSFLpkjU4SpSLTMUqiXb2wA/QUNV6
 4kBANg42bPHKCf2Y7rDSpodsM/i1DC3hDVGE4Qk0h7kqeDWj+RlGBgQcwyT/iXtKdJ
 WhIRh8brBz9rg==
Date: Sun, 31 May 2026 18:24:42 +0000
To: submit@bugs.debian.org
From: Daniel Markstedt <daniel@mindani.net>
Subject: CVE-2026-49388: Heap out-of-bounds read in Spotlight RPC TOC index
Message-ID: <63fbc745-ee69-4035-8fa6-4be34bb63200@mindani.net>
Feedback-ID: 84350481:user:proton
X-Pm-Message-ID: 6ad3e36aa50f4987add28f24f376f3958b07fa99
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg=pgp-sha256;
 boundary="------ae003d40c4245530205e0e3c97984a3e9cabc8eefb96c8b66dc19d13b147a07c";
 charset=utf-8
Delivered-To: submit@bugs.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------ae003d40c4245530205e0e3c97984a3e9cabc8eefb96c8b66dc19d13b147a07c
Content-Type: multipart/mixed;
 boundary=4d6e338002e9e8e5e61f5799860f7bd2a5f6b53b19a03055b3f771e00caa
Message-ID: <63fbc745-ee69-4035-8fa6-4be34bb63200@mindani.net>
Date: Sun, 31 May 2026 20:24:41 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: submit@bugs.debian.org
From: Daniel Markstedt <daniel@mindani.net>
Subject: CVE-2026-49388: Heap out-of-bounds read in Spotlight RPC TOC index

--4d6e338002e9e8e5e61f5799860f7bd2a5f6b53b19a03055b3f771e00caa
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: netatalk
Version: 4.4.3~ds-1
Severity: critical
Tags: security
X-Debbugs-Cc: 
team@security.debian.org,pkg-netatalk-devel@lists.alioth.debian.org

will be resolved by upgrading to upstream v4.5.0

--4d6e338002e9e8e5e61f5799860f7bd2a5f6b53b19a03055b3f771e00caa
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publickey - Daniel Markstedt -
 0x3C47642E.asc"; name="publickey - Daniel Markstedt - 0x3C47642E.asc"
Content-Type: application/pgp-keys; filename="publickey - Daniel Markstedt -
 0x3C47642E.asc"; name="publickey - Daniel Markstedt - 0x3C47642E.asc"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCkNvbW1lbnQ6IGh0dHBzOi8vZ29w
ZW5wZ3Aub3JnClZlcnNpb246IEdvcGVuUEdQIDIuOS4wCgp4c0ZOQkdUeVVBZ0JFQURDRUY2ZHBE
a3VVaGlhd21mbXVxN0tMdmhrelozM1ZPSEMwbW9LaU1ON3lpUTZpdHVBCm5mblNLUWZTVkdYTjUv
TTd5ZTQvNDIvc3dKeWRxQlNGOHMrV1k4bHpIZ0VmZk1hK2NnRitkVS9BS2M4ZlVOMDYKNWFTMlJI
Y1h4QXBBUFp3a0c5OFdmRnBFMjVhbFNLNm1EYk82T2dCRk8zME5USmpVQlNjOHhvV25Ganh2ZC9K
TQp5MDVXNVJmYk56eHgzaGxYaWI5NHNnK3JzWEdVaGt5bjdxR1k4Z0paT3YydXYzaTJzYUwwdGl1
Tk5UZXFGZXJ3CjRnN05CSzhtSzArNkNWcG01Snh4L005MGRsQmQvaGRteVRBWUhGcjlTREh0a2ZR
bUQxVktKUjJCTHU5aGZzcnAKWGlUUDdmekQ1N0JFUzZ2VjREbTZkczg0SXJBTWdPeG5SSUhoaTFt
WDY4YmdYaERQY1YzYkh4dUtabjAzelYydwplYnFzaWZuOXU2elRGQnc0SmxlY2lUSHBSYTd1anh3
cy9NbzM3eWI0Smp0M1lKZ3lkTXNrQSs4RkdnT2xxWGlVCmEwdDhrWUdIQVRTTDhJWTNFVTFJTnVx
dlFYbWo0V0VLK3owNVdpang3SEVYV1lXRWtEaUZCRDVGWG9ZY0w0dkMKUlNyczR0SDl4dmV2VERa
MXdLV0RxUW1oeW94NjRXSnVxR2RVSlFIY1BUMDZKWTZqb0U0eUU3U2N0MklmMGhldQptVk5vTDh5
eVNRUFFwL0N5cU9NOHp0UG0wYnZ4c3ZGOGIzTG16YUZiOTNPRG9iN3pTMHZzbkd0eWpvOC9KbS9v
Clhmb3pDNG5IZ3ZqV09NRUd6VHBMOVVGREFKMlJGdU41RTlzYXpIZkYveDE3Y1JxWm1aNi96THVh
YVFBUkFRQUIKelNWRVlXNXBaV3dnVFdGeWEzTjBaV1IwSUR4a1lXNXBaV3hBYldsdVpHRnVhUzV1
WlhRK3dzR09CQk1CQ2dBNApBaHNEQlFzSkNBY0NCaFVLQ1FnTEFnUVdBZ01CQWg0QkFoZUFGaUVF
UEVka0xrZHVHeGVsYTNvUkl6VlpLaC94CnR0b0ZBbWF3SUxRQUNna1FJelZaS2gveHR0bzQ3dy8v
U3pIQnN4NkFaUjJnMlVwWnFheWNFOEYrSHg5b3lidHoKZTROWEt4endUUFV4RHpYQWlwUVJzMGxS
UGl4ekJQVDZ3TTlOU3hDaUhBMnIwWG9qZFVzaU9YNzFyUVRHOERucAp2SnFxbWxKekc3WXdCakpV
YVpCOHgyQ1pyNXhPUzNCNTYweW5ZN3FpZnNEMzlNR21qZnNlNXhUaWhhTmlPNGMxCnVOaFl4eFUx
RFNLSkZYTGFLNlZNdW1jK0xCbDhuQStsdllTaVJ3UGsybC9DeDdtV2NmTWdHTk9BQ3RCa2J6Z1YK
d01kUC9xUHBCRXZzK2lFa3I1SmZWSTZrK0gzb05mZ3VjS3krRTVRYWg4SHM0RlBhODZTcEF0WXZz
cEhheDRvMwpacnZRVHJ5MFJob1duQWVJM3lVSWlTVzdGbWhmcWZ4ZVMveER2Z1pDYWN6SklUVktl
YUF6K3ZtdndEenpUcHgvCkk4RnJxSTJUejB1eFRVeVNFMkZlN1B2UWpRMHlSU0xoYzFFL3c5aTh0
OXlFTnZUckQ0akZreHVHeFNjUmtxNHQKbExyUlZWRFBYQi9CYlhGakh0OG5QaFg5R2RINGdVTWZv
cTZjVDV4ZVo2Nk1YNVJQanpaTzFRSDl1T3d5YUNObQo2V043RlRMam1aajVwcEl4TXdDeUtGdFJ5
SWdFSTdXRUN5OHRvVlJYMUJKVGx3alZFMlN5WFpkYkhZMGNrdks3CnB3YWM1ejE2MWFadHorVFBj
dWRMc1BybFdIbnhWNmxkbDNTbjk4a1dPTjlWdFV3cXhmdlhpaGhEU2JjMGlqS2sKY0g5clBjdXVM
NnFFR1pYb0xnM1N6bGl4RzZhZDNFenJmcG1kb0lwVmQwdUdnUGZaTWlKQStSTnFGVDBQWFZPOApE
ZERCNWlDZnVZbk93VTBFWlBKUUNBRVFBTVN6aXptTWRsMEt5M0tUMkpuK1VQRG5XK3lKYnpwR2sv
UlNqZW0xCnJFc2dJQW9WQzltdktRQ204eVBWcm1LNTVQbGhnNE5BeUxneTNNVng1Z2s1RUdTbkkr
RTZoZmMyZXhpeG1mR08KaUl6RkhPakc0TXZtWXp3OHRyWjZNQ2Q2VmtQZWtHVml5K2o4RkhVTmNK
MkEyOEhETk9ZSXo2cGJhNTZSZE41Wgo1WkJCalBrTmtDOXUwV1UyQnBjZVdVaXpTUEkxVkxkRlhR
a3lOWDRJTm9sVEJvVTFqOG1FaWJpYWdsUzJrbEVJCkpXeWNqbGVmWllDYW03OXBOa1JuM0xudXlr
Q0xJNXVENVFNV0N0UEZ0aUxTSzZzeGlWYk9rMnZSaGszb1Ria0EKNHF2VFZmaCtaUFpKZnMwdDda
UEJxbmtUaU1tZDhuTUxYdXY3MXRpMWhBOFVYc3J1Z1E1MjVHRGgvNk9rMHNuMApxOUJnM1dQNVZh
Yko0R1VTUEg4MFR3bEFEWFNtVnlBS3IvSk5VK05vL01GN3QySUdiSThnNDhwaC9MUlBWUFZpCnNv
aGNsTTFmVnR6L3NJMmFhK0xweXlFZHl5OXhDKzdKRUdYdkxHSTNmSEFkY0g3enhYc1NOMHNBMVpM
anpQNEwKbmNTOGN5Ri91azVMdG85aEU1YkZJUXBHRnFUQTNpZ29aVDBlTXFSWkRBR3A0VXUzWFho
M2pZVHcxOFpobXVTNwpzdTFnRTh5VEowaWlRaVRmUFNhV2lYN0UzKzJKZjVmQXVINWM5UDNXekRQ
ZUwyQlUzeWtOVzRIYldQbmF6Tkd1Ck9PV3dqNmMwakpGc1o3K25aSFhpWUk5amRsRnVmM1NqNEhF
U0pTbTJGdGFCWVJ5bFJuTmtQRTN2MkhhVENtREYKMlRGSkFCRUJBQUhDd1hZRUdBRUtBQ0FDR3d3
V0lRUThSMlF1UjI0YkY2VnJlaEVqTlZrcUgvRzIyZ1VDWnJBaApRQUFLQ1JBak5Wa3FIL0cyMm4w
MkQvOXdMdWNQZytwMTB5RmRVaVhnb0dndlliRXJLNnU3NTVhN0NOd3NjT2llCmExVDhzbGFOSW03
ZThWTm1VVmpNcFhudVFabGpSb3UxOFVkMmxJL0J2N05LblNoZzhxalRhZkdycWRGeWdPQXgKbUpx
TGNLKzc5RW4zUlZzaFJLZTl3elRhQkErbHhtNUtOOHdLbVRaTWl2aGtZQ3VkV1FkNnRoVjd5a29p
ZVUxTgpyZTNHZ3NNVnpubFBZcEJuZWJUcEV5R3ZWZGdWalVvd293QVNGWVI2M2o5RlRDVHVGUlhy
cmFsUTRZM2JTMDBSCi92cU83YWdGaGJVWUk0MW9LTldKL0hrOFE3VW5tYTRtc3ZjNTZKcnpCbXFq
aEZMODBsWVU4anVJRXFhazA1ZzkKNHZNY3JnbjY0dkhnVjZUc1duMFl4QVZacVR1aExDQ3o2UTNO
OUFQVkFYZE5rWDBwNVZQUEI5NmkraGtEVkVWRwo2ckhIa0wvTHdtTWRxbFlKeDZhRm1VWVFVU21p
a0tGbzNWaWtaMXViNUtuaVRLNDJnNDI5ckZHMEJLaWhuZXRBCk9zU211UVJBU21sRENtUE85bzhr
Z1FReWlCcFc4RkRiSjNhWXRramE3VHJpMS9zMGl0bHdMTkhRSUxlRmdoMDQKTWRJMnE1eDJueEhT
dEdmRENraDIvWkF3U0xHZGlKK3VaMGdYMU1jRVYrc3QvTjU0alo4UU9UeW15RExyVWNJawpxT1B0
VkRacmJsVTJkSmN5VkhERktaNE8yQlJxMkhyNTN6ZEI4VEdjY3Mwc3pZYUpFS2hTcHZHUGMwVU1I
NDBiCnFIU2NDWlk1UDdsVHp2a0piRk0yWWNLQU9hczRNOG9MS054VHluU2psc083S08zbGV5Ti8y
SUQ0eGFpa3FsS2oKUGc9PQo9RHlndwotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
--4d6e338002e9e8e5e61f5799860f7bd2a5f6b53b19a03055b3f771e00caa--

--------ae003d40c4245530205e0e3c97984a3e9cabc8eefb96c8b66dc19d13b147a07c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsGpBAEBCABdBYJqHHzqCRAjNVkqH/G22jUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jn+Va7190T38cf2oTqJEg6DxYhBDxHZC5HbhsX
pWt6ESM1WSof8bbaAACJIQ//YJQb2xP6CyInfnxoLQNXNsVlFifDU8l7HXNq
9FxfQuHGpskHcHM/InIh9F4XI4/9SVj6dMAifOZm+Trhcn3DzKmSRvIdLf2L
oGRixjSGa9etDVCw+ONhNXElS58eOcycTj/KwwZ/fM9CAtPrIXB48dnVCTMh
0yDm1ZtLsbBjheli2Pgc6ebPUcUShi0/y7sCs2O6h4xDkjvQPQlDQjUg3AtK
VxQUUEkH2F0IzL5ZQAJ6MxUMA7QKg3SW51HpqxrnaXNcQ/mRzOtmiuju6yRU
Uo93e19d2w/9wLFzL9Cg5REkwqhaaMk/O+u4Y+uaElYsuwfJ4//oAjrwczLQ
UNYbJa321aCe6UGWBmJK0re/hkqSmL1vv55oYt1L5F3qU8NzeVTq1s5IajND
6mP2pGz82RywbVbYjcHVeJYH++kBXO+8dEKx9ACMbj5fc0frzmaMVM2pycy7
ZjLqc5fAsUhmy4BOIugGe7+kVlm7pwMKaGolJ5P2hDq9RvVms7QeFOsJxkm0
uKQnDzFzDqLq5FfUq95YKN+LbjEnaZo6YW2yLmO4TphKp1hW6Ku6sJi63ODM
BjZX6+mj4t0JGPbAnEBlfeGyn/38rHePJmevJcyhYLbsPdXMJmArdUK/Rq6C
RA+krw1ICAFxmVIPAsYKvNBmdYJ/BQo8KNcBAeAftFYDTQE=
=E/c1
-----END PGP SIGNATURE-----


--------ae003d40c4245530205e0e3c97984a3e9cabc8eefb96c8b66dc19d13b147a07c--
]