From fd6a1699073b82d12750f6a7f1a6661243ec1796 Mon Sep 17 00:00:00 2001 From: franklahm Date: Mon, 20 Jul 2009 09:03:54 +0000 Subject: [PATCH] Remove variable expansion for BSD printers. Fixes CVE-2008-5718. --- NEWS | 5 +++++ VERSION | 2 +- etc/papd/lp.c | 6 +++--- man/man5/papd.conf.5.tmpl | 25 ++++++------------------- 4 files changed, 15 insertions(+), 23 deletions(-) diff --git a/NEWS b/NEWS index f3565dc..a43fbf7 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +Changes in 2.0.5 +================ + +* FIX: papd: Remove variable expansion for BSD printers. Fixes CVE-2008-5718. + Changes in 2.0.4 ================ diff --git a/VERSION b/VERSION index 2165f8f..4e99edd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.4 +2.0.5dev diff --git a/etc/papd/lp.c b/etc/papd/lp.c index 4b36dd6..e3a149b 100644 --- a/etc/papd/lp.c +++ b/etc/papd/lp.c @@ -1,5 +1,5 @@ /* - * $Id: lp.c,v 1.14.8.4.2.8 2009/02/04 22:33:11 didg Exp $ + * $Id: lp.c,v 1.14.8.4.2.9 2009/07/20 09:03:54 franklahm Exp $ * * Copyright (c) 1990,1994 Regents of The University of Michigan. * All Rights Reserved. See COPYRIGHT. @@ -586,9 +586,9 @@ int lp_open( out, sat ) } lp_setup_comments(CH_UNIX); - pipe_cmd = pipexlate(printer->p_printer); + pipe_cmd = printer->p_printer; if (!pipe_cmd) { - LOG(log_error, logtype_papd, "lp_open: can't generate pipe cmd" ); + LOG(log_error, logtype_papd, "lp_open: no pipe cmd" ); spoolerror( out, NULL ); return( -1 ); } diff --git a/man/man5/papd.conf.5.tmpl b/man/man5/papd.conf.5.tmpl index d707eaa..b282537 100644 --- a/man/man5/papd.conf.5.tmpl +++ b/man/man5/papd.conf.5.tmpl @@ -43,7 +43,7 @@ printername may be just a name (\fBPrinter 1\fR), or it may be a full name in nb Systems using a BSD printing system should make use of a pipe to the printing command in question within the \fBpr\fR option (eg\&. -\fBpr=|/usr/bin/lpr \-J%J \-u%U\fR)\&. Note: When printing using a pipe, papd recognizes several wildcards: %F will be replaced by the name present in the "%%For:" comment in the PostScript stream, same with %J for the "%%Title:" comment\&. %U will be substituted with the login name (the latter applies only when authenticated printing is in effect)\&. +\fBpr=|/usr/bin/lpr)\&. .PP When CUPS support is compiled in, then \fBcupsautoadd \fR @@ -148,39 +148,26 @@ HP Printer:\e .\} .PP -An alternative to the technique outlined above is to direct papd\'s output via a pipe into another program\&. Using this mechanism almost all printing systems can be driven\&. Netatalk supplies three "wildcards" that get substituted with values of the already printed job: -\fB%F\fR, -\fB%U\fR -and -\fB%J\fR\&. Using these wildcards, one can pass those parameters directly to programs or implement small wrapper scripts to call the printing system in question\&. +An alternative to the technique outlined above is to direct papd\'s output via a pipe into another program\&. Using this mechanism almost all printing systems can be driven\&. .PP \fBExample.\ \&papd.conf examples using pipes\fR .PP The first spooler is known as HP 8100\&. It pipes the print job to \fB/usr/bin/lpr\fR -for printing using the value of the -\fI%%Title: \fR -comment as job name\&. PSSP authenticated printing is enabled, as is CAP\-style authenticated printing\&. Both methods support guest and cleartext authentication as specified by the \'\fBam\fR\' option\&. The PPD used is -/etc/atalk/ppds/hp8100\&.ppd\&. The second spooler is called "Dump PostScript" and uses a pipe to -\fBcat\fR -to send the raw PostScript code into the user\'s home directory into a file called like the printjob\&. +for printing. +PSSP authenticated printing is enabled, as is CAP\-style authenticated printing\&. Both methods support guest and cleartext authentication as specified by the \'\fBam\fR\' option\&. The PPD used is +/etc/atalk/ppds/hp8100\&.ppd\&. .sp .if n \{\ .RS 4 .\} .nf HP 8100:\e - :pr=|/usr/bin/lpr \-Plp \-J"%J":\e + :pr=|/usr/bin/lpr \-Plp:\e :sp:\e :ca=/tmp/print:\e :am=uams_guest\&.so,uams_pam\&.so:\e :pd=/etc/atalk/ppds/hp8100\&.ppd: - -Dump PostScript:LaserWriter@Server:\e - :pr=|cat >/home/%U/%J\-prn\&.out:\e - :pd=/usr/share/lib/ppd/mooralana\&.ppd:\e - :sp:au:op=lp:\e - :am=uams_clrtxt\&.so: .fi .if n \{\ .RE -- 1.6.3.3