FreeBSD Bugzilla – Attachment 94299 Details for
Bug 132427
[vuxml] [patch] net/netatlk: document and fix CVE-2008-5718
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
fix-CVE-2008-5718.diff
fix-CVE-2008-5718.diff (text/plain), 5.76 KB, created by
Eygene Ryabinkin
on 2009-03-08 19:20:05 UTC
(
hide
)
Description:
fix-CVE-2008-5718.diff
Filename:
MIME Type:
Creator:
Eygene Ryabinkin
Created:
2009-03-08 19:20:05 UTC
Size:
5.76 KB
patch
obsolete
>From 5dcdbea59d402b74ad898ba90ac87dea5bd4d5bb Mon Sep 17 00:00:00 2001 >From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> >Date: Sun, 8 Mar 2009 21:30:00 +0300 > >Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> >--- > net/netatalk/Makefile | 2 +- > net/netatalk/files/patch-CVE-2008-5718 | 164 ++++++++++++++++++++++++++++++++ > 2 files changed, 165 insertions(+), 1 deletions(-) > create mode 100644 net/netatalk/files/patch-CVE-2008-5718 > >diff --git a/net/netatalk/Makefile b/net/netatalk/Makefile >index bd6e365..3608c5b 100644 >--- a/net/netatalk/Makefile >+++ b/net/netatalk/Makefile >@@ -7,7 +7,7 @@ > > PORTNAME= netatalk > PORTVERSION= 2.0.3 >-PORTREVISION= 4 >+PORTREVISION= 5 > PORTEPOCH= 1 > CATEGORIES= net print > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} >diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718 >new file mode 100644 >index 0000000..9f9eb23 >--- /dev/null >+++ b/net/netatalk/files/patch-CVE-2008-5718 >@@ -0,0 +1,164 @@ >+This is the patch for CVE-2008-5718, >+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 >+ >+It consists of three upstream patches: >+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch >+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch >+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch >+ >+First patch is needed only because there was an error in the code >+that prevents real fixes for CVE to work. The last patch was reverted >+in the upstream repository: I don't know why, but this is plain wrong >+to not include all these special characters into quotation. The strange >+thing is that upstream release 2.0.4-beta2 contains no last fix. >+ >+If 2.0.4 won't contain the last patch, it should be added, because, >+for example, '(', ')' and '`', open the straight route to arbitrary >+code execution. >+ >+-- >+Eygene Ryabinkin, rea-fbsd at codelabs dot ru >+ >+--- etc/papd/lp.c 2005/04/28 20:49:49 1.15 >++++ etc/papd/lp.c 2008/08/14 20:02:47 1.16 >+@@ -258,9 +258,9 @@ >+ destlen -= len; >+ } >+ >+- /* stuff up to next $ */ >++ /* stuff up to next % */ >+ src = p + 2; >+- p = strchr(src, '$'); >++ p = strchr(src, '%'); >+ len = p ? MIN((size_t)(p - src), destlen) : destlen; >+ if (len > 0) { >+ strncpy(dest, src, len); >+ >+--- etc/papd/lp.c 2008/08/14 20:02:47 1.16 >++++ etc/papd/lp.c 2008/08/14 20:18:50 1.17 >+@@ -212,10 +212,37 @@ >+ >+ #define is_var(a, b) (strncmp((a), (b), 2) == 0) >+ >++static size_t quote(char *dest, char *src, const size_t bsize, size_t len) >++{ >++size_t used = 0; >++ >++ while (len && used < bsize ) { >++ switch (*src) { >++ case '$': >++ case '\\': >++ case '"': >++ case '`': >++ if (used + 2 > bsize ) >++ return used; >++ *dest = '\\'; >++ dest++; >++ used++; >++ break; >++ } >++ *dest = *src; >++ src++; >++ dest++; >++ len--; >++ used++; >++ } >++ return used; >++} >++ >++ >+ static char* pipexlate(char *src) >+ { >+ char *p, *q, *dest; >+- static char destbuf[MAXPATHLEN]; >++ static char destbuf[MAXPATHLEN +1]; >+ size_t destlen = MAXPATHLEN; >+ int len = 0; >+ >+@@ -224,13 +251,15 @@ >+ if (!src) >+ return NULL; >+ >+- strncpy(dest, src, MAXPATHLEN); >+- if ((p = strchr(src, '%')) == NULL) /* nothing to do */ >++ memset(dest, 0, MAXPATHLEN +1); >++ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ >++ strncpy(dest, src, MAXPATHLEN); >+ return destbuf; >+- >+- /* first part of the path. just forward to the next variable. */ >++ } >++ /* first part of the path. copy and forward to the next variable. */ >+ len = MIN((size_t)(p - src), destlen); >+ if (len > 0) { >++ strncpy(dest, src, len); >+ destlen -= len; >+ dest += len; >+ } >+@@ -246,17 +275,20 @@ >+ q = lp.lp_created_for; >+ } else if (is_var(p, "%%")) { >+ q = "%"; >+- } else >+- q = p; >++ } >+ >+ /* copy the stuff over. if we don't understand something that we >+ * should, just skip it over. */ >+ if (q) { >+- len = MIN(p == q ? 2 : strlen(q), destlen); >++ len = MIN(strlen(q), destlen); >++ len = quote(dest, q, destlen, len); >++ } >++ else { >++ len = MIN(2, destlen); >+ strncpy(dest, q, len); >+- dest += len; >+- destlen -= len; >+ } >++ dest += len; >++ destlen -= len; >+ >+ /* stuff up to next % */ >+ src = p + 2; >+--- etc/papd/lp.c 2009/01/21 02:43:46 1.21 >++++ etc/papd/lp.c 2009/01/28 18:03:15 1.22 >+@@ -217,7 +217,26 @@ >+ case '$': >+ case '\\': >+ case '"': >++ case ';': >++ case '&': >++ case '(': >++ case ')': >++ case ' ': >++ case '*': >++ case '#': >++ case '|': >++ case '>': >++ case '<': >++ case '[': >++ case ']': >++ case '{': >++ case '}': >++ case '^': >++ case '?': >++ case '~': >+ case '`': >++ case '\x0A': >++ case '\xFF': >+ if (used + 2 > bsize ) >+ return used; >+ *dest = '\\'; >+@@ -247,9 +266,9 @@ >+ if (!src) >+ return NULL; >+ >+- memset(dest, 0, MAXPATHLEN +1); >++ memset(dest, 0, sizeof(destbuf)); >+ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ >+- strncpy(dest, src, MAXPATHLEN); >++ strncpy(dest, src, sizeof(dest) - 1); >+ return destbuf; >+ } >+ /* first part of the path. copy and forward to the next variable. */ >-- >1.6.1.3
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=94299">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 132427
: 94299 |
94300