Date: Wed, 14 Jan 2009 00:32:07 +0100 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: update on CVE-2008-5718 Hi, I just did a security update for CVE-2008-5718 and since the description is not really verbose I thought I'd share what I found in case anyone else is working on that. This issue only affects netatalk installations that make use of a pipe command to handle the print file and also use one of the available variables in the piped command. The netatalk documentation documents %F, %U and %J while there is also %C which is undocumented but visible in the code (and does the same as %J). These variables are expanded, %F with the content of %%From:, %J with %%Title: from the PostScript stream and %U with the user printing the file. After the variable expansion (which is done in pipexlate(lp.c) the specified,expanded command is passed to popen() without properly escaping it before. So exploiting this is pretty straight forward if you know the papd configuration (which is at least world-readable on Debian) just by for example preparing a ps file including something like %%Title: $(yourcommand) and print it. Steve, can you update the CVE id description according to this information? Cheers Nico P.S. The patch I used can be found on: http://people.debian.org/~nion/nmu-diff/netatalk-2.0.3-11_2.0.3-11+lenny1.patch -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ