Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252210 (CVE-2008-5718) - <net-fs/netatalk-2.0.5-r1: Command Injection (CVE-2008-5718)
Summary: <net-fs/netatalk-2.0.5-r1: Command Injection (CVE-2008-5718)
Status: RESOLVED FIXED
Alias: CVE-2008-5718
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/Advisories/33227/
Whiteboard: C3 [noglsa]
Keywords:
Depends on: 300218
Blocks:
  Show dependency tree
 
Reported: 2008-12-22 21:16 UTC by Bruno Buss
Modified: 2011-01-02 19:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
netatalk-2.0.4-CVE-2008-5718.patch (netatalk-2.0.4-CVE-2008-5718.patch,4.33 KB, patch)
2009-08-09 15:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2008-12-22 21:16:20 UTC
Description:
"A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to "popen()". This can be exploited to execute arbitrary commands via a specially crafted printing request.

Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.

The vulnerability is reported in versions prior to 2.0.4-beta2."
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-23 12:32:41 UTC
Bruno, feel free to cc maintainers on security bugs you forward from trusted sources (secunia, CVE).
Comment 2 Bruno Buss 2008-12-27 14:05:01 UTC
CVE-2008-5718 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5718):
"The papd daemon in Netatalk before 2.0.4-beta2 allows remote attackers to execute arbitrary commands via shell metacharacters in a print request. NOTE: some of these details are obtained from third party information."
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-28 22:24:32 UTC
Uh I haven't maintained this in such a long time; I guess I should get back on it?
Comment 4 Bruno Buss 2008-12-28 22:31:32 UTC
(In reply to comment #3)
> Uh I haven't maintained this in such a long time; I guess I should get back on
> it?
> 

Well, it's up to you Diego :P
But if you don't want, then the package is orphaned and i think we should mask it, as it's vulnerable. Maybe send to the treecleaners if no one use it anymore...
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-01-28 22:32:38 UTC
Nico Golde informed us that the patch is incomplete, a more complete patch can be found on http://people.debian.org/~nion/213_CVE-2008-5718.patch and in the CVS. Upstream plans for another beta incorporating this patch.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-08-09 15:48:25 UTC
Created attachment 200691 [details, diff]
netatalk-2.0.4-CVE-2008-5718.patch

Upstream has removed all variable expansion in printer names as a fix for this vulnerability. This patch is from the netatalk-2 branch and applies to the 2.0.4 release cleanly.
It needs some cleaning for the 2.0.3 release though, please bump and apply.
Comment 7 SpanKY gentoo-dev 2010-01-10 23:10:11 UTC
netatalk-2.0.5 is in the tree
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-05 13:21:23 UTC
Arches, please test and mark stable:
=net-fs/netatalk-2.0.5-r1
Target keywords : "amd64 arm ppc ppc64 sh sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-05 13:56:34 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2010-03-06 13:52:04 UTC
amd64/arm stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-03-08 16:57:51 UTC
ppc64 done
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:47:42 UTC
Marked ppc stable.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2010-04-01 17:18:50 UTC
sh/sparc stable
Comment 14 SpanKY gentoo-dev 2010-05-08 17:26:24 UTC
all arches are done ... ready for glsa
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 19:00:25 UTC
GLSA Vote: no.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-02 19:05:45 UTC
GLSA Vote: no.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 19:22:56 UTC
Closing noglsa with two No votes.