ports/132427: [vuxml] [patch] net/netatlk: document and fix CVE-2008-5718
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sun Mar 8 19:20:06 UTC 2009
>Number: 132427
>Category: ports
>Synopsis: [vuxml] [patch] net/netatlk: document and fix CVE-2008-5718
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 08 19:20:05 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-STABLE amd64
>Description:
There is an arbitrary code execution in papd daemon from netatalk:
(mainly) malicious PostScript files can inject shell commands if papd is
configured to make variable substitution during filtering incoming
PostScript content.
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
http://www.openwall.com/lists/oss-security/2009/01/13/3
>Fix:
The following patch combines 3 upstream hunks that should fix
the vulnerability. I had tested only patch's compilability and
inspected patch logics -- looks sane. Pay attention that the
third hunk was reverted in the CVS repository for netatalk for
an unknown reason. But the patch should be present, otherwise
command injection will still be possible.
--- fix-CVE-2008-5718.diff begins here ---
>From 5dcdbea59d402b74ad898ba90ac87dea5bd4d5bb Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sun, 8 Mar 2009 21:30:00 +0300
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
net/netatalk/Makefile | 2 +-
net/netatalk/files/patch-CVE-2008-5718 | 164 ++++++++++++++++++++++++++++++++
2 files changed, 165 insertions(+), 1 deletions(-)
create mode 100644 net/netatalk/files/patch-CVE-2008-5718
diff --git a/net/netatalk/Makefile b/net/netatalk/Makefile
index bd6e365..3608c5b 100644
--- a/net/netatalk/Makefile
+++ b/net/netatalk/Makefile
@@ -7,7 +7,7 @@
PORTNAME= netatalk
PORTVERSION= 2.0.3
-PORTREVISION= 4
+PORTREVISION= 5
PORTEPOCH= 1
CATEGORIES= net print
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718
new file mode 100644
index 0000000..9f9eb23
--- /dev/null
+++ b/net/netatalk/files/patch-CVE-2008-5718
@@ -0,0 +1,164 @@
+This is the patch for CVE-2008-5718,
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
+
+It consists of three upstream patches:
+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch
+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch
+ http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch
+
+First patch is needed only because there was an error in the code
+that prevents real fixes for CVE to work. The last patch was reverted
+in the upstream repository: I don't know why, but this is plain wrong
+to not include all these special characters into quotation. The strange
+thing is that upstream release 2.0.4-beta2 contains no last fix.
+
+If 2.0.4 won't contain the last patch, it should be added, because,
+for example, '(', ')' and '`', open the straight route to arbitrary
+code execution.
+
+--
+Eygene Ryabinkin, rea-fbsd at codelabs dot ru
+
+--- etc/papd/lp.c 2005/04/28 20:49:49 1.15
++++ etc/papd/lp.c 2008/08/14 20:02:47 1.16
+@@ -258,9 +258,9 @@
+ destlen -= len;
+ }
+
+- /* stuff up to next $ */
++ /* stuff up to next % */
+ src = p + 2;
+- p = strchr(src, '$');
++ p = strchr(src, '%');
+ len = p ? MIN((size_t)(p - src), destlen) : destlen;
+ if (len > 0) {
+ strncpy(dest, src, len);
+
+--- etc/papd/lp.c 2008/08/14 20:02:47 1.16
++++ etc/papd/lp.c 2008/08/14 20:18:50 1.17
+@@ -212,10 +212,37 @@
+
+ #define is_var(a, b) (strncmp((a), (b), 2) == 0)
+
++static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
++{
++size_t used = 0;
++
++ while (len && used < bsize ) {
++ switch (*src) {
++ case '$':
++ case '\\':
++ case '"':
++ case '`':
++ if (used + 2 > bsize )
++ return used;
++ *dest = '\\';
++ dest++;
++ used++;
++ break;
++ }
++ *dest = *src;
++ src++;
++ dest++;
++ len--;
++ used++;
++ }
++ return used;
++}
++
++
+ static char* pipexlate(char *src)
+ {
+ char *p, *q, *dest;
+- static char destbuf[MAXPATHLEN];
++ static char destbuf[MAXPATHLEN +1];
+ size_t destlen = MAXPATHLEN;
+ int len = 0;
+
+@@ -224,13 +251,15 @@
+ if (!src)
+ return NULL;
+
+- strncpy(dest, src, MAXPATHLEN);
+- if ((p = strchr(src, '%')) == NULL) /* nothing to do */
++ memset(dest, 0, MAXPATHLEN +1);
++ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
++ strncpy(dest, src, MAXPATHLEN);
+ return destbuf;
+-
+- /* first part of the path. just forward to the next variable. */
++ }
++ /* first part of the path. copy and forward to the next variable. */
+ len = MIN((size_t)(p - src), destlen);
+ if (len > 0) {
++ strncpy(dest, src, len);
+ destlen -= len;
+ dest += len;
+ }
+@@ -246,17 +275,20 @@
+ q = lp.lp_created_for;
+ } else if (is_var(p, "%%")) {
+ q = "%";
+- } else
+- q = p;
++ }
+
+ /* copy the stuff over. if we don't understand something that we
+ * should, just skip it over. */
+ if (q) {
+- len = MIN(p == q ? 2 : strlen(q), destlen);
++ len = MIN(strlen(q), destlen);
++ len = quote(dest, q, destlen, len);
++ }
++ else {
++ len = MIN(2, destlen);
+ strncpy(dest, q, len);
+- dest += len;
+- destlen -= len;
+ }
++ dest += len;
++ destlen -= len;
+
+ /* stuff up to next % */
+ src = p + 2;
+--- etc/papd/lp.c 2009/01/21 02:43:46 1.21
++++ etc/papd/lp.c 2009/01/28 18:03:15 1.22
+@@ -217,7 +217,26 @@
+ case '$':
+ case '\\':
+ case '"':
++ case ';':
++ case '&':
++ case '(':
++ case ')':
++ case ' ':
++ case '*':
++ case '#':
++ case '|':
++ case '>':
++ case '<':
++ case '[':
++ case ']':
++ case '{':
++ case '}':
++ case '^':
++ case '?':
++ case '~':
+ case '`':
++ case '\x0A':
++ case '\xFF':
+ if (used + 2 > bsize )
+ return used;
+ *dest = '\\';
+@@ -247,9 +266,9 @@
+ if (!src)
+ return NULL;
+
+- memset(dest, 0, MAXPATHLEN +1);
++ memset(dest, 0, sizeof(destbuf));
+ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+- strncpy(dest, src, MAXPATHLEN);
++ strncpy(dest, src, sizeof(dest) - 1);
+ return destbuf;
+ }
+ /* first part of the path. copy and forward to the next variable. */
--
1.6.1.3
--- fix-CVE-2008-5718.diff ends here ---
The following VuXML entry should be evaluated and added.
--- vuln.xml begins here ---
<vuln vid="3604780c-0c0f-11de-b26a-001fc66e7203">
<topic>netatalk -- arbitrary command execution in papd daemon</topic>
<affects>
<package>
<name>netatalk</name>
<range><lt>2.0.3_5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote
cite="http://secunia.com/advisories/33227">
<p>A vulnerability has been reported in Netatalk, which
potentially can be exploited by malicious users to compromise
a vulnerable system.</p>
<p>The vulnerability is caused due to the papd daemon
improperly sanitising several received parameters before
passing them in a call to "popen()". This can be exploited to
execute arbitrary commands via a specially crafted printing
request.</p>
<p>Successful exploitation requires that a printer is
configured to pass arbitrary values as parameters to a piped
command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5718</cvename>
<bid>32925</bid>
<url>http://www.openwall.com/lists/oss-security/2009/01/13/3</url>
</references>
<dates>
<discovery>2009-01-15</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
While I am here, I want to add a simple patch that removes spool
directories for CUPS interface that are created if CUPS is installed in
the system when one builds the netatalk port and thus CUPS support is
activated by the configure script.
--- 2.0.3-add-missing-spool-dirrmtry.diff begins here ---
>From 2dcc6d468c2178e27aff364e579dfe18169c7bd4 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sun, 8 Mar 2009 21:42:35 +0300
Subject: [PATCH] net/netatalk: add missing 'dirrmtry's to pkg-plist
CUPS support that is sometimes enabled (when CUPS is installed
to the system), creates ${localstatedir}/spool/netatalk hierarchy
for spool files. An attempt for removal should be made.
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
net/netatalk/pkg-plist | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/netatalk/pkg-plist b/net/netatalk/pkg-plist
index 53f3aeb..15562fc 100644
--- a/net/netatalk/pkg-plist
+++ b/net/netatalk/pkg-plist
@@ -149,3 +149,6 @@ share/aclocal/netatalk.m4
@dirrm include/netatalk
@dirrm include/atalk
@dirrm etc/uams
+ at dirrmtry var/spool/netatalk
+ at dirrmtry var/spool
+ at dirrmtry var
--
1.6.1.3
--- 2.0.3-add-missing-spool-dirrmtry.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list