Bug 132427 - [vuxml] [patch] net/netatlk: document and fix CVE-2008-5718
[vuxml] [patch] net/netatlk: document and fix CVE-2008-5718
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Martin Wilke
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-08 19:20 UTC by rea-fbsd
Modified: 2009-03-18 16:40 UTC (History)
0 users

See Also:


Attachments
fix-CVE-2008-5718.diff (5.76 KB, patch)
2009-03-08 19:20 UTC, rea-fbsd
no flags Details | Diff
2.0.3-add-missing-spool-dirrmtry.diff (891 bytes, patch)
2009-03-08 19:20 UTC, rea-fbsd
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rea-fbsd 2009-03-08 19:20:05 UTC
There is an arbitrary code execution in papd daemon from netatalk:
(mainly) malicious PostScript files can inject shell commands if papd is
configured to make variable substitution during filtering incoming
PostScript content.

Fix: The following patch combines 3 upstream hunks that should fix
the vulnerability.  I had tested only patch's compilability and
inspected patch logics -- looks sane.  Pay attention that the
third hunk was reverted in the CVS repository for netatalk for
an unknown reason.  But the patch should be present, otherwise
command injection will still be possible.

The following VuXML entry should be evaluated and added.
  <vuln vid="3604780c-0c0f-11de-b26a-001fc66e7203">
    <topic>netatalk -- arbitrary command execution in papd daemon</topic>
    <affects>
      <package>
        <name>netatalk</name>
        <range><lt>2.0.3_5,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/33227">
          <p>A vulnerability has been reported in Netatalk, which
          potentially can be exploited by malicious users to compromise
          a vulnerable system.</p>
          <p>The vulnerability is caused due to the papd daemon
          improperly sanitising several received parameters before
          passing them in a call to "popen()". This can be exploited to
          execute arbitrary commands via a specially crafted printing
          request.</p>
          <p>Successful exploitation requires that a printer is
          configured to pass arbitrary values as parameters to a piped
          command.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5718</cvename>
      <bid>32925</bid>
      <url>http://www.openwall.com/lists/oss-security/2009/01/13/3</url>
    </references>
    <dates>
      <discovery>2009-01-15</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

While I am here, I want to add a simple patch that removes spool
directories for CUPS interface that are created if CUPS is installed in
the system when one builds the netatalk port and thus CUPS support is
activated by the configure script.
How-To-Repeat: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
http://www.openwall.com/lists/oss-security/2009/01/13/3
Comment 1 Martin Wilke freebsd_committer 2009-03-08 20:49:17 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 2 dfilter freebsd_committer 2009-03-18 15:05:13 UTC
miwi        2009-03-18 15:05:04 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document netatalk -- arbitrary command execution in papd daemon
  
  PR:             based on 132427
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.1890    +34 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 dfilter freebsd_committer 2009-03-18 16:39:15 UTC
miwi        2009-03-18 16:39:04 UTC

  FreeBSD ports repository

  Modified files:
    net/netatalk         Makefile 
  Added files:
    net/netatalk/files   patch-CVE-2008-5718 
  Log:
  - Fix CVE-2008-5718
  
  PR:             132427
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  Approved by:    marcus (maintainer)
  Security:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
                  http://www.openwall.com/lists/oss-security/2009/01/13/3
  
  Revision  Changes    Path
  1.78      +1 -1      ports/net/netatalk/Makefile
  1.1       +143 -0    ports/net/netatalk/files/patch-CVE-2008-5718 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Martin Wilke freebsd_committer 2009-03-18 16:39:16 UTC
State Changed
From-To: open->closed

Committed. Thanks!