Attachment #94299 for bug #132427

Lines 7-13 Link Here

(-)b/net/netatalk/Makefile (-1 / +1 lines)
7		7
8	PORTNAME= netatalk	8	PORTNAME= netatalk
9	PORTVERSION= 2.0.3	9	PORTVERSION= 2.0.3
10	PORTREVISION= 4	10	PORTREVISION= 5
11	PORTEPOCH= 1	11	PORTEPOCH= 1
12	CATEGORIES= net print	12	CATEGORIES= net print
13	MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}	13	MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}




This is the patch for CVE-2008-5718,
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718

It consists of three upstream patches:
  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch
  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch
  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch

First patch is needed only because there was an error in the code
that prevents real fixes for CVE to work.  The last patch was reverted
in the upstream repository: I don't know why, but this is plain wrong
to not include all these special characters into quotation.  The strange
thing is that upstream release 2.0.4-beta2 contains no last fix.

If 2.0.4 won't contain the last patch, it should be added, because,
for example, '(', ')' and '`', open the straight route to arbitrary
code execution.

-- 
Eygene Ryabinkin, rea-fbsd at codelabs dot ru

--- etc/papd/lp.c	2005/04/28 20:49:49	1.15
+++ etc/papd/lp.c	2008/08/14 20:02:47	1.16
@@ -258,9 +258,9 @@
             destlen -= len;
         }
 
-        /* stuff up to next $ */
+        /* stuff up to next % */
         src = p + 2;
-        p = strchr(src, '$');
+        p = strchr(src, '%');
         len = p ? MIN((size_t)(p - src), destlen) : destlen;
         if (len > 0) {
             strncpy(dest, src, len);

--- etc/papd/lp.c	2008/08/14 20:02:47	1.16
+++ etc/papd/lp.c	2008/08/14 20:18:50	1.17
@@ -212,10 +212,37 @@
 
 #define is_var(a, b) (strncmp((a), (b), 2) == 0)
 
+static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
+{
+size_t used = 0;
+
+    while (len && used < bsize ) {
+        switch (*src) {
+          case '$':
+          case '\\':
+          case '"':
+          case '`':
+            if (used + 2 > bsize )
+              return used;
+            *dest = '\\';
+            dest++;
+            used++;
+            break;
+        }
+        *dest = *src;
+        src++;
+        dest++;
+        len--;
+        used++;
+    }
+    return used;
+}
+
+
 static char* pipexlate(char *src)
 {
     char *p, *q, *dest; 
-    static char destbuf[MAXPATHLEN];
+    static char destbuf[MAXPATHLEN +1];
     size_t destlen = MAXPATHLEN;
     int len = 0;
    
@@ -224,13 +251,15 @@
     if (!src)
 	return NULL;
 
-    strncpy(dest, src, MAXPATHLEN);
-    if ((p = strchr(src, '%')) == NULL) /* nothing to do */
+    memset(dest, 0, MAXPATHLEN +1);
+    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+        strncpy(dest, src, MAXPATHLEN);
         return destbuf;
-
-    /* first part of the path. just forward to the next variable. */
+    }
+    /* first part of the path. copy and forward to the next variable. */
     len = MIN((size_t)(p - src), destlen);
     if (len > 0) {
+        strncpy(dest, src, len);
         destlen -= len;
         dest += len;
     }
@@ -246,17 +275,20 @@
             q =  lp.lp_created_for;
         } else if (is_var(p, "%%")) {
             q = "%";
-        } else
-            q = p;
+        } 
 
         /* copy the stuff over. if we don't understand something that we
          * should, just skip it over. */
         if (q) {
-            len = MIN(p == q ? 2 : strlen(q), destlen);
+            len = MIN(strlen(q), destlen);
+            len = quote(dest, q, destlen, len);
+        }
+        else {
+            len = MIN(2, destlen);
             strncpy(dest, q, len);
-            dest += len;
-            destlen -= len;
         }
+        dest += len;
+        destlen -= len;
 
         /* stuff up to next % */
         src = p + 2;
--- etc/papd/lp.c	2009/01/21 02:43:46	1.21
+++ etc/papd/lp.c	2009/01/28 18:03:15	1.22
@@ -217,7 +217,26 @@
           case '$':
           case '\\':
           case '"':
+          case ';':
+          case '&':
+          case '(':
+          case ')':
+          case ' ':
+          case '*':
+          case '#':
+          case '|':
+          case '>':
+          case '<':
+          case '[':
+          case ']':
+          case '{':
+          case '}':
+          case '^':
+          case '?':
+          case '~':
           case '`':
+          case '\x0A':
+          case '\xFF':
             if (used + 2 > bsize )
               return used;
             *dest = '\\';
@@ -247,9 +266,9 @@
     if (!src)
 	return NULL;
 
-    memset(dest, 0, MAXPATHLEN +1);
+    memset(dest, 0, sizeof(destbuf));
     if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
-        strncpy(dest, src, MAXPATHLEN);
+        strncpy(dest, src, sizeof(dest) - 1);
         return destbuf;
     }
     /* first part of the path. copy and forward to the next variable. */

Return to bug 132427

Added Link Here

(-)b/net/netatalk/files/patch-CVE-2008-5718 (-1 / +164 lines)
0	-	1	This is the patch for CVE-2008-5718,
		2	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
		3
		4	It consists of three upstream patches:
		5	http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch
		6	http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch
		7	http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch
		8
		9	First patch is needed only because there was an error in the code
		10	that prevents real fixes for CVE to work. The last patch was reverted
		11	in the upstream repository: I don't know why, but this is plain wrong
		12	to not include all these special characters into quotation. The strange
		13	thing is that upstream release 2.0.4-beta2 contains no last fix.
		14
		15	If 2.0.4 won't contain the last patch, it should be added, because,
		16	for example, '(', ')' and '`', open the straight route to arbitrary
		17	code execution.
		18
		19	--
		20	Eygene Ryabinkin, rea-fbsd at codelabs dot ru
		21
		22	--- etc/papd/lp.c 2005/04/28 20:49:49 1.15
		23	+++ etc/papd/lp.c 2008/08/14 20:02:47 1.16
		24	@@ -258,9 +258,9 @@
		25	destlen -= len;
		26	}
		27
		28	- /* stuff up to next $ */
		29	+ /* stuff up to next % */
		30	src = p + 2;
		31	- p = strchr(src, '$');
		32	+ p = strchr(src, '%');
		33	len = p ? MIN((size_t)(p - src), destlen) : destlen;
		34	if (len > 0) {
		35	strncpy(dest, src, len);
		36
		37	--- etc/papd/lp.c 2008/08/14 20:02:47 1.16
		38	+++ etc/papd/lp.c 2008/08/14 20:18:50 1.17
		39	@@ -212,10 +212,37 @@
		40
		41	#define is_var(a, b) (strncmp((a), (b), 2) == 0)
		42
		43	+static size_t quote(char dest, char src, const size_t bsize, size_t len)
		44	+{
		45	+size_t used = 0;
		46	+
		47	+ while (len && used < bsize ) {
		48	+ switch (*src) {
		49	+ case '$':
		50	+ case '\\':
		51	+ case '"':
		52	+ case '`':
		53	+ if (used + 2 > bsize )
		54	+ return used;
		55	+ *dest = '\\';
		56	+ dest++;
		57	+ used++;
		58	+ break;
		59	+ }
		60	+ dest = src;
		61	+ src++;
		62	+ dest++;
		63	+ len--;
		64	+ used++;
		65	+ }
66	+ return used;
67	+}
68	+
69	+
70	static char* pipexlate(char *src)
71	{
72	char p, q, *dest;
73	- static char destbuf[MAXPATHLEN];
74	+ static char destbuf[MAXPATHLEN +1];
75	size_t destlen = MAXPATHLEN;
76	int len = 0;
77
78	@@ -224,13 +251,15 @@
79	if (!src)
80	return NULL;
81
82	- strncpy(dest, src, MAXPATHLEN);
83	- if ((p = strchr(src, '%')) == NULL) /* nothing to do */
84	+ memset(dest, 0, MAXPATHLEN +1);
85	+ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
86	+ strncpy(dest, src, MAXPATHLEN);
87	return destbuf;
88	-
89	- /* first part of the path. just forward to the next variable. */
90	+ }
91	+ /* first part of the path. copy and forward to the next variable. */
92	len = MIN((size_t)(p - src), destlen);
93	if (len > 0) {
94	+ strncpy(dest, src, len);
95	destlen -= len;
96	dest += len;
97	}
98	@@ -246,17 +275,20 @@
99	q = lp.lp_created_for;
100	} else if (is_var(p, "%%")) {
101	q = "%";
102	- } else
103	- q = p;
104	+ }
105
106	/* copy the stuff over. if we don't understand something that we
107	* should, just skip it over. */
108	if (q) {
109	- len = MIN(p == q ? 2 : strlen(q), destlen);
110	+ len = MIN(strlen(q), destlen);
111	+ len = quote(dest, q, destlen, len);
112	+ }
113	+ else {
114	+ len = MIN(2, destlen);
115	strncpy(dest, q, len);
116	- dest += len;
117	- destlen -= len;
118	}
119	+ dest += len;
120	+ destlen -= len;
121
122	/* stuff up to next % */
123	src = p + 2;
124	--- etc/papd/lp.c 2009/01/21 02:43:46 1.21
125	+++ etc/papd/lp.c 2009/01/28 18:03:15 1.22
126	@@ -217,7 +217,26 @@
127	case '$':
128	case '\\':
129	case '"':
130	+ case ';':
131	+ case '&':
132	+ case '(':
133	+ case ')':
134	+ case ' ':
135	+ case '*':
136	+ case '#':
137	+ case '\|':
138	+ case '>':
139	+ case '<':
140	+ case '[':
141	+ case ']':
142	+ case '{':
143	+ case '}':
144	+ case '^':
145	+ case '?':
146	+ case '~':
147	case '`':
148	+ case '\x0A':
149	+ case '\xFF':
150	if (used + 2 > bsize )
151	return used;
152	*dest = '\\';
153	@@ -247,9 +266,9 @@
154	if (!src)
155	return NULL;
156
157	- memset(dest, 0, MAXPATHLEN +1);
158	+ memset(dest, 0, sizeof(destbuf));
159	if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
160	- strncpy(dest, src, MAXPATHLEN);
161	+ strncpy(dest, src, sizeof(dest) - 1);
162	return destbuf;
163	}
164	/* first part of the path. copy and forward to the next variable. */