[Pkg-netatalk-devel] Bug#1117453: netatalk: trixie-pu: package netatalk/4.2.3~ds-1+deb13u1

Daniel Markstedt daniel at mindani.net
Sun Oct 5 21:20:59 BST 2025 

Package: release.debian.org
Severity: important
Tags: trixie
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-netatalk-devel at alioth-lists.debian.net

Hi release team, I am proposing a trixie package update for netatalk.
This is for fixing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111652
At least two users are blocked from using the trixie netatalk package,
and many more are likely affected because authentication through
ActiveDirectory or any centralized identity management using PAM
is broken.

Attaching a debdiff that can be applied to netatalk/4.2.3~ds-1
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index e22bd2216..5a343dbe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+netatalk (4.2.3~ds-1+deb13u1) trixie; urgency=high
+
+  [ Daniel Markstedt ]
+  * add patch that fixes critical bug in uam module;
+    closes: bug#1111652, thanks to Stefan van Lieshout and
+    Hector Rulot
+
+ -- Daniel Markstedt <daniel at mindani.net>  Sun, 05 Oct 2025 21:11:55 +0000
+
 netatalk (4.2.3~ds-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/patches/001_uams_non_reentrant.patch b/debian/patches/001_uams_non_reentrant.patch
new file mode 100644
index 000000000..b64c01704
--- /dev/null
+++ b/debian/patches/001_uams_non_reentrant.patch
@@ -0,0 +1,74 @@
+Description: Revert to non-reentrant getpwnam() in the uam module
+ Since afpd isn't a threading application,
+ there is no pressing need to use the reentrant-safe way
+ to fetch the passwd entry in uam_getname().
+ The reverted solution 
had flaws
+ that led to a critical failure
+ when attempting to authenticate
+ in a complex ActiveDirectory environment.
+Author: Daniel Markstedt <daniel at mindani.net>
+Bug: https://github.com/Netatalk/netatalk/issues/2402
+Last-Update: 2025-09-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/uam.c
++++ b/etc/afpd/uam.c
+@@ -193,7 +193,6 @@
+ {
+     AFPObj *obj = private;
+     struct passwd *pwent = NULL;
+-    struct passwd pwent_buf;
+     static char username[256];
+     static char user[256];
+     static char pwname[256];
+@@ -201,23 +200,13 @@
+     size_t namelen;
+     size_t gecoslen = 0;
+     size_t pwnamelen = 0;
+-
+-    long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+-    if (bufsize == -1) {
+-        bufsize = 16384;
+-    }
+-    char *buffer = malloc(bufsize);
+-    if (buffer == NULL) {
+-        free(buffer);
+-        return NULL;
+-    }
+-
+ #ifdef HAVE_GETPWNAM_SHADOW
+-    if (pwent =
 getpwnam_shadow(name)) {
++    pwent = getpwnam_shadow(name);
+ #else
+-    if (getpwnam_r(name, &pwent_buf, buffer, sizeof(buffer), &pwent) == 0 && pwent != NULL) {
+-        free(buffer);
++    pwent = getpwnam(name);
+ #endif
++
++    if (pwent) {
+         return pwent;
+     }
+ 
+@@ -231,7 +220,7 @@
+ 
+         if (bdata(princ) != NULL) {
+             const char *bdatum = bdata(princ);
+-            getpwnam_r(bdatum, &pwent_buf, buffer, sizeof(buffer), &pwent);
++            pwent = getpwnam(bdatum);
+         }
+         bdestroy(princ);
+ 
+@@ -242,13 +231,10 @@
+             } else {
+                 LOG(log_error, logtype_uams, "The name '%s' is longer than %d", pwent->pw_name, MAXUSERLEN);
+             }
+-            free(buffer);
+             return pwent;
+         }
+     }
+ 
+-    free(buffer);
+-
+     namelen = convert_string((utf8_encoding(obj))?CH_UTF8_MAC:obj->options.maccharset,
+                             CH_UCS2, name, 
-1, username, sizeof(username));
+     if (namelen == -1)
diff --git a/debian/patches/series b/debian/patches/series
index cb6afea6c..5e10942dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+001_uams_non_reentrant.patch
 202_privacy.patch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - Daniel Markstedt - 0x3C47642E.asc
Type: application/pgp-keys
Size: 3192 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20251005/983b0a78/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 928 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20251005/983b0a78/attachment.sig>

More information about the pkg-netatalk-devel mailing list