There is an arbitrary code execution in papd daemon from netatalk: (mainly) malicious PostScript files can inject shell commands if papd is configured to make variable substitution during filtering incoming PostScript content. Fix: The following patch combines 3 upstream hunks that should fix the vulnerability. I had tested only patch's compilability and inspected patch logics -- looks sane. Pay attention that the third hunk was reverted in the CVS repository for netatalk for an unknown reason. But the patch should be present, otherwise command injection will still be possible. The following VuXML entry should be evaluated and added. <vuln vid="3604780c-0c0f-11de-b26a-001fc66e7203"> <topic>netatalk -- arbitrary command execution in papd daemon</topic> <affects> <package> <name>netatalk</name> <range><lt>2.0.3_5,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/33227"> <p>A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system.</p> <p>The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to "popen()". This can be exploited to execute arbitrary commands via a specially crafted printing request.</p> <p>Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5718</cvename> <bid>32925</bid> <url>http://www.openwall.com/lists/oss-security/2009/01/13/3</url> </references> <dates> <discovery>2009-01-15</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- While I am here, I want to add a simple patch that removes spool directories for CUPS interface that are created if CUPS is installed in the system when one builds the netatalk port and thus CUPS support is activated by the configure script. How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 http://www.openwall.com/lists/oss-security/2009/01/13/3
Responsible Changed From-To: freebsd-ports-bugs->miwi I'll take it.
miwi 2009-03-18 15:05:04 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document netatalk -- arbitrary command execution in papd daemon PR: based on 132427 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.1890 +34 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2009-03-18 16:39:04 UTC FreeBSD ports repository Modified files: net/netatalk Makefile Added files: net/netatalk/files patch-CVE-2008-5718 Log: - Fix CVE-2008-5718 PR: 132427 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: marcus (maintainer) Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 http://www.openwall.com/lists/oss-security/2009/01/13/3 Revision Changes Path 1.78 +1 -1 ports/net/netatalk/Makefile 1.1 +143 -0 ports/net/netatalk/files/patch-CVE-2008-5718 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!