Summary: | <net-fs/netatalk-2.0.5-r1: Command Injection (CVE-2008-5718) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Bruno Buss <bruno.buss> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | esigra, flameeyes, net-fs | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://secunia.com/Advisories/33227/ | ||||||
Whiteboard: | C3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 300218 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Bruno Buss
2008-12-22 21:16:20 UTC
Bruno, feel free to cc maintainers on security bugs you forward from trusted sources (secunia, CVE). CVE-2008-5718 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5718): "The papd daemon in Netatalk before 2.0.4-beta2 allows remote attackers to execute arbitrary commands via shell metacharacters in a print request. NOTE: some of these details are obtained from third party information." Uh I haven't maintained this in such a long time; I guess I should get back on it? (In reply to comment #3) > Uh I haven't maintained this in such a long time; I guess I should get back on > it? > Well, it's up to you Diego :P But if you don't want, then the package is orphaned and i think we should mask it, as it's vulnerable. Maybe send to the treecleaners if no one use it anymore... Nico Golde informed us that the patch is incomplete, a more complete patch can be found on http://people.debian.org/~nion/213_CVE-2008-5718.patch and in the CVS. Upstream plans for another beta incorporating this patch. Created attachment 200691 [details, diff]
netatalk-2.0.4-CVE-2008-5718.patch
Upstream has removed all variable expansion in printer names as a fix for this vulnerability. This patch is from the netatalk-2 branch and applies to the 2.0.4 release cleanly.
It needs some cleaning for the 2.0.3 release though, please bump and apply.
netatalk-2.0.5 is in the tree Arches, please test and mark stable: =net-fs/netatalk-2.0.5-r1 Target keywords : "amd64 arm ppc ppc64 sh sparc x86" x86 stable amd64/arm stable ppc64 done Marked ppc stable. sh/sparc stable all arches are done ... ready for glsa GLSA Vote: no. GLSA Vote: no. Closing noglsa with two No votes. |