[From nobody Mon Jun  1 21:27:18 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 18:53:23 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
 autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 15; hammy, 90; neutral, 19; spammy, 1.
 spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*ct:pgp-sha256, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*ct:application,
 0.000-+--H*ct:protocol
Return-path: <daniel@mindani.net>
Received: from mail-4320.protonmail.ch ([185.70.43.20]:29089)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from <daniel@mindani.net>) id 1wTlHn-005JoC-2D
 for submit@bugs.debian.org; Sun, 31 May 2026 18:53:23 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindani.net;
 s=protonmail3; t=1780253601; x=1780512801;
 bh=IJaYkD3WduvyDJMhTD4rPYBUL+czl5mzFSgWEEnNfTs=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=YluaxpQJ0fXnFEqe9QLB5GQceHS3Cs3USL2KXWhNbaWREu18eO1r2PPFyYYq0c8GQ
 efNFpxG62mQlgm8hI+5DWW9COlx0GYtuSss8bymL8/q2Ro1Xd5Yb6hB2dSg/Frhz4f
 4NtayYuKsZNIcWZ1XFjS+e009srmXZMwZ9h5mE+8eY6mYkavlyd3w/scQsKbP3phTg
 PqD1LnwAvHIVU5hoF7WlrEkTfql//1KM0j6CQHwD6/Y9UMZJYEg0YCqsNkgXR3fFZ0
 WpQuoFNa2cGpjA+xhJyEkTGXyAZO/+MUs38ICpgQ7/dI7hFA7+kbFp8vcl8gMxGwDt
 tR67EjoTiGliQ==
Date: Sun, 31 May 2026 18:53:18 +0000
To: submit@bugs.debian.org
From: Daniel Markstedt <daniel@mindani.net>
Subject: CVE-2026-44070: Unbounded realloc in charset conversion
Message-ID: <df5b716e-9a6d-4530-8e6f-655383310490@mindani.net>
Feedback-ID: 84350481:user:proton
X-Pm-Message-ID: 03d3e60bc3dec1282a7a27a1008035052487232d
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg=pgp-sha256;
 boundary="------74a3419be6542ef609a14b52043125e261991a35bd35e7524fa33fdaf8e1dad2";
 charset=utf-8
Delivered-To: submit@bugs.debian.org
X-CrossAssassin-Score: 4

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------74a3419be6542ef609a14b52043125e261991a35bd35e7524fa33fdaf8e1dad2
Content-Type: multipart/mixed;
 boundary=41bcba89148a154a7a581be8b399244b2764781c2512619888f402426d78
Message-ID: <df5b716e-9a6d-4530-8e6f-655383310490@mindani.net>
Date: Sun, 31 May 2026 20:53:14 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: submit@bugs.debian.org
From: Daniel Markstedt <daniel@mindani.net>
Subject: CVE-2026-44070: Unbounded realloc in charset conversion

--41bcba89148a154a7a581be8b399244b2764781c2512619888f402426d78
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: netatalk
Version: 4.4.3~ds-1
Severity: critical
Tags: security
X-Debbugs-Cc: 
team@security.debian.org,pkg-netatalk-devel@lists.alioth.debian.org

will be resolved by upgrading to upstream v4.5.0

--41bcba89148a154a7a581be8b399244b2764781c2512619888f402426d78
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publickey - Daniel Markstedt -
 0x3C47642E.asc"; name="publickey - Daniel Markstedt - 0x3C47642E.asc"
Content-Type: application/pgp-keys; filename="publickey - Daniel Markstedt -
 0x3C47642E.asc"; name="publickey - Daniel Markstedt - 0x3C47642E.asc"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCkNvbW1lbnQ6IGh0dHBzOi8vZ29w
ZW5wZ3Aub3JnClZlcnNpb246IEdvcGVuUEdQIDIuOS4wCgp4c0ZOQkdUeVVBZ0JFQURDRUY2ZHBE
a3VVaGlhd21mbXVxN0tMdmhrelozM1ZPSEMwbW9LaU1ON3lpUTZpdHVBCm5mblNLUWZTVkdYTjUv
TTd5ZTQvNDIvc3dKeWRxQlNGOHMrV1k4bHpIZ0VmZk1hK2NnRitkVS9BS2M4ZlVOMDYKNWFTMlJI
Y1h4QXBBUFp3a0c5OFdmRnBFMjVhbFNLNm1EYk82T2dCRk8zME5USmpVQlNjOHhvV25Ganh2ZC9K
TQp5MDVXNVJmYk56eHgzaGxYaWI5NHNnK3JzWEdVaGt5bjdxR1k4Z0paT3YydXYzaTJzYUwwdGl1
Tk5UZXFGZXJ3CjRnN05CSzhtSzArNkNWcG01Snh4L005MGRsQmQvaGRteVRBWUhGcjlTREh0a2ZR
bUQxVktKUjJCTHU5aGZzcnAKWGlUUDdmekQ1N0JFUzZ2VjREbTZkczg0SXJBTWdPeG5SSUhoaTFt
WDY4YmdYaERQY1YzYkh4dUtabjAzelYydwplYnFzaWZuOXU2elRGQnc0SmxlY2lUSHBSYTd1anh3
cy9NbzM3eWI0Smp0M1lKZ3lkTXNrQSs4RkdnT2xxWGlVCmEwdDhrWUdIQVRTTDhJWTNFVTFJTnVx
dlFYbWo0V0VLK3owNVdpang3SEVYV1lXRWtEaUZCRDVGWG9ZY0w0dkMKUlNyczR0SDl4dmV2VERa
MXdLV0RxUW1oeW94NjRXSnVxR2RVSlFIY1BUMDZKWTZqb0U0eUU3U2N0MklmMGhldQptVk5vTDh5
eVNRUFFwL0N5cU9NOHp0UG0wYnZ4c3ZGOGIzTG16YUZiOTNPRG9iN3pTMHZzbkd0eWpvOC9KbS9v
Clhmb3pDNG5IZ3ZqV09NRUd6VHBMOVVGREFKMlJGdU41RTlzYXpIZkYveDE3Y1JxWm1aNi96THVh
YVFBUkFRQUIKelNWRVlXNXBaV3dnVFdGeWEzTjBaV1IwSUR4a1lXNXBaV3hBYldsdVpHRnVhUzV1
WlhRK3dzR09CQk1CQ2dBNApBaHNEQlFzSkNBY0NCaFVLQ1FnTEFnUVdBZ01CQWg0QkFoZUFGaUVF
UEVka0xrZHVHeGVsYTNvUkl6VlpLaC94CnR0b0ZBbWF3SUxRQUNna1FJelZaS2gveHR0bzQ3dy8v
U3pIQnN4NkFaUjJnMlVwWnFheWNFOEYrSHg5b3lidHoKZTROWEt4endUUFV4RHpYQWlwUVJzMGxS
UGl4ekJQVDZ3TTlOU3hDaUhBMnIwWG9qZFVzaU9YNzFyUVRHOERucAp2SnFxbWxKekc3WXdCakpV
YVpCOHgyQ1pyNXhPUzNCNTYweW5ZN3FpZnNEMzlNR21qZnNlNXhUaWhhTmlPNGMxCnVOaFl4eFUx
RFNLSkZYTGFLNlZNdW1jK0xCbDhuQStsdllTaVJ3UGsybC9DeDdtV2NmTWdHTk9BQ3RCa2J6Z1YK
d01kUC9xUHBCRXZzK2lFa3I1SmZWSTZrK0gzb05mZ3VjS3krRTVRYWg4SHM0RlBhODZTcEF0WXZz
cEhheDRvMwpacnZRVHJ5MFJob1duQWVJM3lVSWlTVzdGbWhmcWZ4ZVMveER2Z1pDYWN6SklUVktl
YUF6K3ZtdndEenpUcHgvCkk4RnJxSTJUejB1eFRVeVNFMkZlN1B2UWpRMHlSU0xoYzFFL3c5aTh0
OXlFTnZUckQ0akZreHVHeFNjUmtxNHQKbExyUlZWRFBYQi9CYlhGakh0OG5QaFg5R2RINGdVTWZv
cTZjVDV4ZVo2Nk1YNVJQanpaTzFRSDl1T3d5YUNObQo2V043RlRMam1aajVwcEl4TXdDeUtGdFJ5
SWdFSTdXRUN5OHRvVlJYMUJKVGx3alZFMlN5WFpkYkhZMGNrdks3CnB3YWM1ejE2MWFadHorVFBj
dWRMc1BybFdIbnhWNmxkbDNTbjk4a1dPTjlWdFV3cXhmdlhpaGhEU2JjMGlqS2sKY0g5clBjdXVM
NnFFR1pYb0xnM1N6bGl4RzZhZDNFenJmcG1kb0lwVmQwdUdnUGZaTWlKQStSTnFGVDBQWFZPOApE
ZERCNWlDZnVZbk93VTBFWlBKUUNBRVFBTVN6aXptTWRsMEt5M0tUMkpuK1VQRG5XK3lKYnpwR2sv
UlNqZW0xCnJFc2dJQW9WQzltdktRQ204eVBWcm1LNTVQbGhnNE5BeUxneTNNVng1Z2s1RUdTbkkr
RTZoZmMyZXhpeG1mR08KaUl6RkhPakc0TXZtWXp3OHRyWjZNQ2Q2VmtQZWtHVml5K2o4RkhVTmNK
MkEyOEhETk9ZSXo2cGJhNTZSZE41Wgo1WkJCalBrTmtDOXUwV1UyQnBjZVdVaXpTUEkxVkxkRlhR
a3lOWDRJTm9sVEJvVTFqOG1FaWJpYWdsUzJrbEVJCkpXeWNqbGVmWllDYW03OXBOa1JuM0xudXlr
Q0xJNXVENVFNV0N0UEZ0aUxTSzZzeGlWYk9rMnZSaGszb1Ria0EKNHF2VFZmaCtaUFpKZnMwdDda
UEJxbmtUaU1tZDhuTUxYdXY3MXRpMWhBOFVYc3J1Z1E1MjVHRGgvNk9rMHNuMApxOUJnM1dQNVZh
Yko0R1VTUEg4MFR3bEFEWFNtVnlBS3IvSk5VK05vL01GN3QySUdiSThnNDhwaC9MUlBWUFZpCnNv
aGNsTTFmVnR6L3NJMmFhK0xweXlFZHl5OXhDKzdKRUdYdkxHSTNmSEFkY0g3enhYc1NOMHNBMVpM
anpQNEwKbmNTOGN5Ri91azVMdG85aEU1YkZJUXBHRnFUQTNpZ29aVDBlTXFSWkRBR3A0VXUzWFho
M2pZVHcxOFpobXVTNwpzdTFnRTh5VEowaWlRaVRmUFNhV2lYN0UzKzJKZjVmQXVINWM5UDNXekRQ
ZUwyQlUzeWtOVzRIYldQbmF6Tkd1Ck9PV3dqNmMwakpGc1o3K25aSFhpWUk5amRsRnVmM1NqNEhF
U0pTbTJGdGFCWVJ5bFJuTmtQRTN2MkhhVENtREYKMlRGSkFCRUJBQUhDd1hZRUdBRUtBQ0FDR3d3
V0lRUThSMlF1UjI0YkY2VnJlaEVqTlZrcUgvRzIyZ1VDWnJBaApRQUFLQ1JBak5Wa3FIL0cyMm4w
MkQvOXdMdWNQZytwMTB5RmRVaVhnb0dndlliRXJLNnU3NTVhN0NOd3NjT2llCmExVDhzbGFOSW03
ZThWTm1VVmpNcFhudVFabGpSb3UxOFVkMmxJL0J2N05LblNoZzhxalRhZkdycWRGeWdPQXgKbUpx
TGNLKzc5RW4zUlZzaFJLZTl3elRhQkErbHhtNUtOOHdLbVRaTWl2aGtZQ3VkV1FkNnRoVjd5a29p
ZVUxTgpyZTNHZ3NNVnpubFBZcEJuZWJUcEV5R3ZWZGdWalVvd293QVNGWVI2M2o5RlRDVHVGUlhy
cmFsUTRZM2JTMDBSCi92cU83YWdGaGJVWUk0MW9LTldKL0hrOFE3VW5tYTRtc3ZjNTZKcnpCbXFq
aEZMODBsWVU4anVJRXFhazA1ZzkKNHZNY3JnbjY0dkhnVjZUc1duMFl4QVZacVR1aExDQ3o2UTNO
OUFQVkFYZE5rWDBwNVZQUEI5NmkraGtEVkVWRwo2ckhIa0wvTHdtTWRxbFlKeDZhRm1VWVFVU21p
a0tGbzNWaWtaMXViNUtuaVRLNDJnNDI5ckZHMEJLaWhuZXRBCk9zU211UVJBU21sRENtUE85bzhr
Z1FReWlCcFc4RkRiSjNhWXRramE3VHJpMS9zMGl0bHdMTkhRSUxlRmdoMDQKTWRJMnE1eDJueEhT
dEdmRENraDIvWkF3U0xHZGlKK3VaMGdYMU1jRVYrc3QvTjU0alo4UU9UeW15RExyVWNJawpxT1B0
VkRacmJsVTJkSmN5VkhERktaNE8yQlJxMkhyNTN6ZEI4VEdjY3Mwc3pZYUpFS2hTcHZHUGMwVU1I
NDBiCnFIU2NDWlk1UDdsVHp2a0piRk0yWWNLQU9hczRNOG9MS054VHluU2psc083S08zbGV5Ti8y
SUQ0eGFpa3FsS2oKUGc9PQo9RHlndwotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
--41bcba89148a154a7a581be8b399244b2764781c2512619888f402426d78--

--------74a3419be6542ef609a14b52043125e261991a35bd35e7524fa33fdaf8e1dad2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsGpBAEBCABdBYJqHIOdCRAjNVkqH/G22jUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jn047TzAp90ekcyqT9bsGcGBYhBDxHZC5HbhsX
pWt6ESM1WSof8bbaAADGXg/9GBDL7AeG1rmorluHRGAGqo2MxxYaFZbfCu+D
z83DWpRkLi8NkkgPIce42lmTxj84VGtVE3LYJ9T6bJPnSZgx612a2rb8bwj5
4SFdWqgjwYEin2OVkvr0WNuQYZYCPEwof2el4ShGQyYDRYsFh9rS9+JQYpPX
HCWFmCfX2uKskp0nVwt+YNXIXDtantwUZNtQfwscfeYAXw0kXCzvcYCAPaCA
LCyvXUwUFaKiWvwpdFi9vdupg6FYcwD4jhuUxm2ykWygytDjzMmy98w3XqGX
Bv4s2MvzdNH+9v0ujiid2gemSLBKQ3/s2Ni660C/No9EFpZDBK9xcBDsku1f
KB3q1yS9J89UgSbbebb422mrZ2fXSRMlE9mHJvNoagj9+uSD7zTDOhEo4Lyw
rF9YHs0Rtuagjc/JWMsUI8/e+duds+XoWXZRXFjwSO4Jpp+eehdPaRkgP5s1
vr7SQaDvI91m47xwnyU9HSe9pa02VKoaaAFsi5hv+aOHrZleI2qy6w0wYWNV
083Xs53W2x3sScU3M6Xl7e2HrUEU2uDLeEEuiwIXDfTT+horIfdm0ZMk6a0V
cttYL1oReO+txUVZuDay+zU0YgksOQhMqXA3xp9KGRPYai3FQYSM9mYwbCUA
2qqYh+Tcy70Bn7O2MxV8+m8g+hJoU9VdbSPT9ZFy2hiwJ7g=
=VJxI
-----END PGP SIGNATURE-----


--------74a3419be6542ef609a14b52043125e261991a35bd35e7524fa33fdaf8e1dad2--
]