From 5dcdbea59d402b74ad898ba90ac87dea5bd4d5bb Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 8 Mar 2009 21:30:00 +0300

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 net/netatalk/Makefile                  |    2 +-
 net/netatalk/files/patch-CVE-2008-5718 |  164 ++++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+), 1 deletions(-)
 create mode 100644 net/netatalk/files/patch-CVE-2008-5718

diff --git a/net/netatalk/Makefile b/net/netatalk/Makefile
index bd6e365..3608c5b 100644
--- a/net/netatalk/Makefile
+++ b/net/netatalk/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	netatalk
 PORTVERSION=	2.0.3
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	net print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718
new file mode 100644
index 0000000..9f9eb23
--- /dev/null
+++ b/net/netatalk/files/patch-CVE-2008-5718
@@ -0,0 +1,164 @@
+This is the patch for CVE-2008-5718,
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
+
+It consists of three upstream patches:
+  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch
+  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch
+  http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch
+
+First patch is needed only because there was an error in the code
+that prevents real fixes for CVE to work.  The last patch was reverted
+in the upstream repository: I don't know why, but this is plain wrong
+to not include all these special characters into quotation.  The strange
+thing is that upstream release 2.0.4-beta2 contains no last fix.
+
+If 2.0.4 won't contain the last patch, it should be added, because,
+for example, '(', ')' and '`', open the straight route to arbitrary
+code execution.
+
+-- 
+Eygene Ryabinkin, rea-fbsd at codelabs dot ru
+
+--- etc/papd/lp.c	2005/04/28 20:49:49	1.15
++++ etc/papd/lp.c	2008/08/14 20:02:47	1.16
+@@ -258,9 +258,9 @@
+             destlen -= len;
+         }
+ 
+-        /* stuff up to next $ */
++        /* stuff up to next % */
+         src = p + 2;
+-        p = strchr(src, '$');
++        p = strchr(src, '%');
+         len = p ? MIN((size_t)(p - src), destlen) : destlen;
+         if (len > 0) {
+             strncpy(dest, src, len);
+
+--- etc/papd/lp.c	2008/08/14 20:02:47	1.16
++++ etc/papd/lp.c	2008/08/14 20:18:50	1.17
+@@ -212,10 +212,37 @@
+ 
+ #define is_var(a, b) (strncmp((a), (b), 2) == 0)
+ 
++static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
++{
++size_t used = 0;
++
++    while (len && used < bsize ) {
++        switch (*src) {
++          case '$':
++          case '\\':
++          case '"':
++          case '`':
++            if (used + 2 > bsize )
++              return used;
++            *dest = '\\';
++            dest++;
++            used++;
++            break;
++        }
++        *dest = *src;
++        src++;
++        dest++;
++        len--;
++        used++;
++    }
++    return used;
++}
++
++
+ static char* pipexlate(char *src)
+ {
+     char *p, *q, *dest; 
+-    static char destbuf[MAXPATHLEN];
++    static char destbuf[MAXPATHLEN +1];
+     size_t destlen = MAXPATHLEN;
+     int len = 0;
+    
+@@ -224,13 +251,15 @@
+     if (!src)
+ 	return NULL;
+ 
+-    strncpy(dest, src, MAXPATHLEN);
+-    if ((p = strchr(src, '%')) == NULL) /* nothing to do */
++    memset(dest, 0, MAXPATHLEN +1);
++    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
++        strncpy(dest, src, MAXPATHLEN);
+         return destbuf;
+-
+-    /* first part of the path. just forward to the next variable. */
++    }
++    /* first part of the path. copy and forward to the next variable. */
+     len = MIN((size_t)(p - src), destlen);
+     if (len > 0) {
++        strncpy(dest, src, len);
+         destlen -= len;
+         dest += len;
+     }
+@@ -246,17 +275,20 @@
+             q =  lp.lp_created_for;
+         } else if (is_var(p, "%%")) {
+             q = "%";
+-        } else
+-            q = p;
++        } 
+ 
+         /* copy the stuff over. if we don't understand something that we
+          * should, just skip it over. */
+         if (q) {
+-            len = MIN(p == q ? 2 : strlen(q), destlen);
++            len = MIN(strlen(q), destlen);
++            len = quote(dest, q, destlen, len);
++        }
++        else {
++            len = MIN(2, destlen);
+             strncpy(dest, q, len);
+-            dest += len;
+-            destlen -= len;
+         }
++        dest += len;
++        destlen -= len;
+ 
+         /* stuff up to next % */
+         src = p + 2;
+--- etc/papd/lp.c	2009/01/21 02:43:46	1.21
++++ etc/papd/lp.c	2009/01/28 18:03:15	1.22
+@@ -217,7 +217,26 @@
+           case '$':
+           case '\\':
+           case '"':
++          case ';':
++          case '&':
++          case '(':
++          case ')':
++          case ' ':
++          case '*':
++          case '#':
++          case '|':
++          case '>':
++          case '<':
++          case '[':
++          case ']':
++          case '{':
++          case '}':
++          case '^':
++          case '?':
++          case '~':
+           case '`':
++          case '\x0A':
++          case '\xFF':
+             if (used + 2 > bsize )
+               return used;
+             *dest = '\\';
+@@ -247,9 +266,9 @@
+     if (!src)
+ 	return NULL;
+ 
+-    memset(dest, 0, MAXPATHLEN +1);
++    memset(dest, 0, sizeof(destbuf));
+     if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+-        strncpy(dest, src, MAXPATHLEN);
++        strncpy(dest, src, sizeof(dest) - 1);
+         return destbuf;
+     }
+     /* first part of the path. copy and forward to the next variable. */
-- 
1.6.1.3