Date: Sun, 8 Mar 2009 22:11:49 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/132427: [vuxml] [patch] net/netatlk: document and fix CVE-2008-5718 Message-ID: <20090308191149.95156B806B@phoenix.codelabs.ru> Resent-Message-ID: <200903081920.n28JK54I091451@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 132427 >Category: ports >Synopsis: [vuxml] [patch] net/netatlk: document and fix CVE-2008-5718 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 08 19:20:05 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-STABLE amd64 >Description: There is an arbitrary code execution in papd daemon from netatalk: (mainly) malicious PostScript files can inject shell commands if papd is configured to make variable substitution during filtering incoming PostScript content. >How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 http://www.openwall.com/lists/oss-security/2009/01/13/3 >Fix: The following patch combines 3 upstream hunks that should fix the vulnerability. I had tested only patch's compilability and inspected patch logics -- looks sane. Pay attention that the third hunk was reverted in the CVS repository for netatalk for an unknown reason. But the patch should be present, otherwise command injection will still be possible. --- fix-CVE-2008-5718.diff begins here --- >From 5dcdbea59d402b74ad898ba90ac87dea5bd4d5bb Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 8 Mar 2009 21:30:00 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net/netatalk/Makefile | 2 +- net/netatalk/files/patch-CVE-2008-5718 | 164 ++++++++++++++++++++++++++++++++ 2 files changed, 165 insertions(+), 1 deletions(-) create mode 100644 net/netatalk/files/patch-CVE-2008-5718 diff --git a/net/netatalk/Makefile b/net/netatalk/Makefile index bd6e365..3608c5b 100644 --- a/net/netatalk/Makefile +++ b/net/netatalk/Makefile @@ -7,7 +7,7 @@ PORTNAME= netatalk PORTVERSION= 2.0.3 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= net print MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718 new file mode 100644 index 0000000..9f9eb23 --- /dev/null +++ b/net/netatalk/files/patch-CVE-2008-5718 @@ -0,0 +1,164 @@ +This is the patch for CVE-2008-5718, + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 + +It consists of three upstream patches: + http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.15&r2=1.16&view=patch + http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch + http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.21&r2=1.22&view=patch + +First patch is needed only because there was an error in the code +that prevents real fixes for CVE to work. The last patch was reverted +in the upstream repository: I don't know why, but this is plain wrong +to not include all these special characters into quotation. The strange +thing is that upstream release 2.0.4-beta2 contains no last fix. + +If 2.0.4 won't contain the last patch, it should be added, because, +for example, '(', ')' and '`', open the straight route to arbitrary +code execution. + +-- +Eygene Ryabinkin, rea-fbsd at codelabs dot ru + +--- etc/papd/lp.c 2005/04/28 20:49:49 1.15 ++++ etc/papd/lp.c 2008/08/14 20:02:47 1.16 +@@ -258,9 +258,9 @@ + destlen -= len; + } + +- /* stuff up to next $ */ ++ /* stuff up to next % */ + src = p + 2; +- p = strchr(src, '$'); ++ p = strchr(src, '%'); + len = p ? MIN((size_t)(p - src), destlen) : destlen; + if (len > 0) { + strncpy(dest, src, len); + +--- etc/papd/lp.c 2008/08/14 20:02:47 1.16 ++++ etc/papd/lp.c 2008/08/14 20:18:50 1.17 +@@ -212,10 +212,37 @@ + + #define is_var(a, b) (strncmp((a), (b), 2) == 0) + ++static size_t quote(char *dest, char *src, const size_t bsize, size_t len) ++{ ++size_t used = 0; ++ ++ while (len && used < bsize ) { ++ switch (*src) { ++ case '$': ++ case '\\': ++ case '"': ++ case '`': ++ if (used + 2 > bsize ) ++ return used; ++ *dest = '\\'; ++ dest++; ++ used++; ++ break; ++ } ++ *dest = *src; ++ src++; ++ dest++; ++ len--; ++ used++; ++ } ++ return used; ++} ++ ++ + static char* pipexlate(char *src) + { + char *p, *q, *dest; +- static char destbuf[MAXPATHLEN]; ++ static char destbuf[MAXPATHLEN +1]; + size_t destlen = MAXPATHLEN; + int len = 0; + +@@ -224,13 +251,15 @@ + if (!src) + return NULL; + +- strncpy(dest, src, MAXPATHLEN); +- if ((p = strchr(src, '%')) == NULL) /* nothing to do */ ++ memset(dest, 0, MAXPATHLEN +1); ++ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ ++ strncpy(dest, src, MAXPATHLEN); + return destbuf; +- +- /* first part of the path. just forward to the next variable. */ ++ } ++ /* first part of the path. copy and forward to the next variable. */ + len = MIN((size_t)(p - src), destlen); + if (len > 0) { ++ strncpy(dest, src, len); + destlen -= len; + dest += len; + } +@@ -246,17 +275,20 @@ + q = lp.lp_created_for; + } else if (is_var(p, "%%")) { + q = "%"; +- } else +- q = p; ++ } + + /* copy the stuff over. if we don't understand something that we + * should, just skip it over. */ + if (q) { +- len = MIN(p == q ? 2 : strlen(q), destlen); ++ len = MIN(strlen(q), destlen); ++ len = quote(dest, q, destlen, len); ++ } ++ else { ++ len = MIN(2, destlen); + strncpy(dest, q, len); +- dest += len; +- destlen -= len; + } ++ dest += len; ++ destlen -= len; + + /* stuff up to next % */ + src = p + 2; +--- etc/papd/lp.c 2009/01/21 02:43:46 1.21 ++++ etc/papd/lp.c 2009/01/28 18:03:15 1.22 +@@ -217,7 +217,26 @@ + case '$': + case '\\': + case '"': ++ case ';': ++ case '&': ++ case '(': ++ case ')': ++ case ' ': ++ case '*': ++ case '#': ++ case '|': ++ case '>': ++ case '<': ++ case '[': ++ case ']': ++ case '{': ++ case '}': ++ case '^': ++ case '?': ++ case '~': + case '`': ++ case '\x0A': ++ case '\xFF': + if (used + 2 > bsize ) + return used; + *dest = '\\'; +@@ -247,9 +266,9 @@ + if (!src) + return NULL; + +- memset(dest, 0, MAXPATHLEN +1); ++ memset(dest, 0, sizeof(destbuf)); + if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ +- strncpy(dest, src, MAXPATHLEN); ++ strncpy(dest, src, sizeof(dest) - 1); + return destbuf; + } + /* first part of the path. copy and forward to the next variable. */ -- 1.6.1.3 --- fix-CVE-2008-5718.diff ends here --- The following VuXML entry should be evaluated and added. --- vuln.xml begins here --- <vuln vid="3604780c-0c0f-11de-b26a-001fc66e7203"> <topic>netatalk -- arbitrary command execution in papd daemon</topic> <affects> <package> <name>netatalk</name> <range><lt>2.0.3_5,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/33227"> <p>A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system.</p> <p>The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to "popen()". This can be exploited to execute arbitrary commands via a specially crafted printing request.</p> <p>Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5718</cvename> <bid>32925</bid> <url>http://www.openwall.com/lists/oss-security/2009/01/13/3</url> </references> <dates> <discovery>2009-01-15</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- While I am here, I want to add a simple patch that removes spool directories for CUPS interface that are created if CUPS is installed in the system when one builds the netatalk port and thus CUPS support is activated by the configure script. --- 2.0.3-add-missing-spool-dirrmtry.diff begins here --- >From 2dcc6d468c2178e27aff364e579dfe18169c7bd4 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 8 Mar 2009 21:42:35 +0300 Subject: [PATCH] net/netatalk: add missing 'dirrmtry's to pkg-plist CUPS support that is sometimes enabled (when CUPS is installed to the system), creates ${localstatedir}/spool/netatalk hierarchy for spool files. An attempt for removal should be made. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net/netatalk/pkg-plist | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/netatalk/pkg-plist b/net/netatalk/pkg-plist index 53f3aeb..15562fc 100644 --- a/net/netatalk/pkg-plist +++ b/net/netatalk/pkg-plist @@ -149,3 +149,6 @@ share/aclocal/netatalk.m4 @dirrm include/netatalk @dirrm include/atalk @dirrm etc/uams +@dirrmtry var/spool/netatalk +@dirrmtry var/spool +@dirrmtry var -- 1.6.1.3 --- 2.0.3-add-missing-spool-dirrmtry.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090308191149.95156B806B>