From 04bea739efba923aad6d7fdea78ece1788eb8470 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Fri, 8 May 2026 10:29:49 +0200 Subject: [PATCH] CVE-2026-44068: libatalk/vfs: reject slash in EA names Reported-by: @00redbeer Signed-off-by: Daniel Markstedt --- libatalk/vfs/ea_ad.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/libatalk/vfs/ea_ad.c b/libatalk/vfs/ea_ad.c index c83e05186..8e39f4127 100644 --- a/libatalk/vfs/ea_ad.c +++ b/libatalk/vfs/ea_ad.c @@ -537,6 +537,11 @@ char *ea_path(const struct ea *ea, const char *eaname, strlcat(pathbuf, "::EA", MAXPATHLEN + 1); if (eaname) { + if (strchr(eaname, '/') != NULL) { + LOG(log_warning, logtype_afpd, "ea_path: EA name contains '/': \"%s\"", eaname); + return NULL; + } + strlcat(pathbuf, "::", MAXPATHLEN + 1); if (macname) @@ -1649,7 +1654,6 @@ int ea_chmod_dir(const struct vol *vol, const char *name, mode_t mode, int ret = AFP_OK; unsigned int count = 0; const char *eaname; - const char *eaname_safe = NULL; struct ea ea; LOG(log_debug, logtype_afpd, "ea_chmod_dir('%s')", name); /* .AppleDouble already might be inaccesible, so we must run as id 0 */ @@ -1687,17 +1691,6 @@ int ea_chmod_dir(const struct vol *vol, const char *name, mode_t mode, while (count < ea.ea_count) { eaname = (*ea.ea_entries)[count].ea_name; - /* - * Be careful with EA names from the EA header! - * E.g. NFS users might have access to them, can inject paths using ../ or /..... - * FIXME: - * Until the EA code escapes / in EA name requests from the client, these therefor wont work. - */ - if ((eaname_safe = strrchr(eaname, '/'))) { - LOG(log_warning, logtype_afpd, "ea_chmod_dir('%s'): contains a slash", eaname); - eaname = eaname_safe; - } - if ((eaname = ea_path(&ea, eaname, 1)) == NULL) { ret = AFPERR_MISC; goto exit;