Version in base suite: 4.2.3~ds-1

Base version: netatalk_4.2.3~ds-1
Target version: netatalk_4.2.3~ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/netatalk/netatalk_4.2.3~ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/netatalk/netatalk_4.2.3~ds-1+deb13u1.dsc

 changelog                            |    9 ++++
 patches/001_uams_non_reentrant.patch |   74 +++++++++++++++++++++++++++++++++++
 patches/series                       |    1 
 3 files changed, 84 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3y41asts/netatalk_4.2.3~ds-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3y41asts/netatalk_4.2.3~ds-1+deb13u1.dsc: no acceptable signature found
diff -Nru netatalk-4.2.3~ds/debian/changelog netatalk-4.2.3~ds/debian/changelog
--- netatalk-4.2.3~ds/debian/changelog	2025-05-13 14:40:25.000000000 +0000
+++ netatalk-4.2.3~ds/debian/changelog	2025-10-05 21:11:55.000000000 +0000
@@ -1,3 +1,12 @@
+netatalk (4.2.3~ds-1+deb13u1) trixie; urgency=high
+
+  [ Daniel Markstedt ]
+  * add patch that fixes critical bug in uam module;
+    closes: bug#1111652, thanks to Stefan van Lieshout and
+    Hector Rulot
+
+ -- Daniel Markstedt <daniel@mindani.net>  Sun, 05 Oct 2025 21:11:55 +0000
+
 netatalk (4.2.3~ds-1) unstable; urgency=medium
 
   [ upstream ]
diff -Nru netatalk-4.2.3~ds/debian/patches/001_uams_non_reentrant.patch netatalk-4.2.3~ds/debian/patches/001_uams_non_reentrant.patch
--- netatalk-4.2.3~ds/debian/patches/001_uams_non_reentrant.patch	1970-01-01 00:00:00.000000000 +0000
+++ netatalk-4.2.3~ds/debian/patches/001_uams_non_reentrant.patch	2025-10-05 21:11:55.000000000 +0000
@@ -0,0 +1,74 @@
+Description: Revert to non-reentrant getpwnam() in the uam module
+ Since afpd isn't a threading application,
+ there is no pressing need to use the reentrant-safe way
+ to fetch the passwd entry in uam_getname().
+ The reverted solution had flaws
+ that led to a critical failure
+ when attempting to authenticate
+ in a complex ActiveDirectory environment.
+Author: Daniel Markstedt <daniel@mindani.net>
+Bug: https://github.com/Netatalk/netatalk/issues/2402
+Last-Update: 2025-09-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/etc/afpd/uam.c
++++ b/etc/afpd/uam.c
+@@ -193,7 +193,6 @@
+ {
+     AFPObj *obj = private;
+     struct passwd *pwent = NULL;
+-    struct passwd pwent_buf;
+     static char username[256];
+     static char user[256];
+     static char pwname[256];
+@@ -201,23 +200,13 @@
+     size_t namelen;
+     size_t gecoslen = 0;
+     size_t pwnamelen = 0;
+-
+-    long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+-    if (bufsize == -1) {
+-        bufsize = 16384;
+-    }
+-    char *buffer = malloc(bufsize);
+-    if (buffer == NULL) {
+-        free(buffer);
+-        return NULL;
+-    }
+-
+ #ifdef HAVE_GETPWNAM_SHADOW
+-    if (pwent = getpwnam_shadow(name)) {
++    pwent = getpwnam_shadow(name);
+ #else
+-    if (getpwnam_r(name, &pwent_buf, buffer, sizeof(buffer), &pwent) == 0 && pwent != NULL) {
+-        free(buffer);
++    pwent = getpwnam(name);
+ #endif
++
++    if (pwent) {
+         return pwent;
+     }
+ 
+@@ -231,7 +220,7 @@
+ 
+         if (bdata(princ) != NULL) {
+             const char *bdatum = bdata(princ);
+-            getpwnam_r(bdatum, &pwent_buf, buffer, sizeof(buffer), &pwent);
++            pwent = getpwnam(bdatum);
+         }
+         bdestroy(princ);
+ 
+@@ -242,13 +231,10 @@
+             } else {
+                 LOG(log_error, logtype_uams, "The name '%s' is longer than %d", pwent->pw_name, MAXUSERLEN);
+             }
+-            free(buffer);
+             return pwent;
+         }
+     }
+ 
+-    free(buffer);
+-
+     namelen = convert_string((utf8_encoding(obj))?CH_UTF8_MAC:obj->options.maccharset,
+                             CH_UCS2, name, -1, username, sizeof(username));
+     if (namelen == -1)
diff -Nru netatalk-4.2.3~ds/debian/patches/series netatalk-4.2.3~ds/debian/patches/series
--- netatalk-4.2.3~ds/debian/patches/series	2025-04-16 04:29:03.000000000 +0000
+++ netatalk-4.2.3~ds/debian/patches/series	2025-10-05 21:11:55.000000000 +0000
@@ -1 +1,2 @@
+001_uams_non_reentrant.patch
 202_privacy.patch