oss-sec mailing list archives
update on CVE-2008-5718
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 14 Jan 2009 00:32:07 +0100
Hi, I just did a security update for CVE-2008-5718 and since the description is not really verbose I thought I'd share what I found in case anyone else is working on that. This issue only affects netatalk installations that make use of a pipe command to handle the print file and also use one of the available variables in the piped command. The netatalk documentation documents %F, %U and %J while there is also %C which is undocumented but visible in the code (and does the same as %J). These variables are expanded, %F with the content of %%From:, %J with %%Title: from the PostScript stream and %U with the user printing the file. After the variable expansion (which is done in pipexlate(lp.c) the specified,expanded command is passed to popen() without properly escaping it before. So exploiting this is pretty straight forward if you know the papd configuration (which is at least world-readable on Debian) just by for example preparing a ps file including something like %%Title: $(yourcommand) and print it. Steve, can you update the CVE id description according to this information? Cheers Nico P.S. The patch I used can be found on: http://people.debian.org/~nion/nmu-diff/netatalk-2.0.3-11_2.0.3-11+lenny1.patch -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- update on CVE-2008-5718 Nico Golde (Jan 13)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)