[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2009 14:54:33 +0100
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: update on CVE-2008-5718
New patch attached, the old one was missing spaces.
Hope the blacklist is complete now...
On Wed, Jan 14, 2009 at 09:21:57AM +0100, Thomas Biege wrote:
> Hello Nico,
>
> On Wed, Jan 14, 2009 at 12:32:07AM +0100, Nico Golde wrote:
> > Hi,
> > I just did a security update for CVE-2008-5718 and since the
> > description is not really verbose I thought I'd share what I
> > found in case anyone else is working on that.
> ...
> > Cheers
> > Nico
> > P.S. The patch I used can be found on:
> > http://people.debian.org/~nion/nmu-diff/netatalk-2.0.3-11_2.0.3-11+lenny1.patch
>
> I am not very happy with the patch because it just filters a handful of
> characters, a better solution would be to replace popen().
> (I mentioned this on the netatalk-devel ML but got no answer so far.)
>
>
>
> --
> Bye,
> Thomas
> --
> Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> --
> Hamming's Motto:
> The purpose of computing is insight, not numbers.
> -- Richard W. Hamming
--
Bye,
Thomas
--
Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Hamming's Motto:
The purpose of computing is insight, not numbers.
-- Richard W. Hamming
diff -Nurad netatalk-2.0.3.orig/etc/papd/lp.c netatalk-2.0.3/etc/papd/lp.c
--- netatalk-2.0.3.orig/etc/papd/lp.c 2009-01-13 12:40:35.000000000 +0100
+++ netatalk-2.0.3/etc/papd/lp.c 2009-01-13 12:41:08.000000000 +0100
@@ -212,10 +212,41 @@
#define is_var(a, b) (strncmp((a), (b), 2) == 0)
+static size_t quote(char *dest, char *src, const size_t bsize, size_t len) {
+ size_t used = 0;
+
+ while (len && used < bsize ) {
+ switch (*src) {
+ case '$': case ' ': case '\n' : case '\r':
+ case '\\':
+ case '"':
+ case ';':
+ case '&':
+ case '(':
+ case ')':
+ case '*':
+ case '#':
+ case '`':
+ if (used + 2 > bsize )
+ return used;
+ *dest = '\\';
+ dest++;
+ used++;
+ break;
+ }
+ *dest = *src;
+ src++;
+ dest++;
+ len--;
+ used++;
+ }
+ return used;
+}
+
static char* pipexlate(char *src)
{
char *p, *q, *dest;
- static char destbuf[MAXPATHLEN];
+ static char destbuf[MAXPATHLEN + 1];
size_t destlen = MAXPATHLEN;
int len = 0;
@@ -224,13 +255,16 @@
if (!src)
return NULL;
- strncpy(dest, src, MAXPATHLEN);
- if ((p = strchr(src, '%')) == NULL) /* nothing to do */
+ memset(dest, 0, sizeof(destbuf));
+ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+ strncpy(dest, src, sizeof(dest) - 1);
return destbuf;
+ }
/* first part of the path. just forward to the next variable. */
len = MIN((size_t)(p - src), destlen);
if (len > 0) {
+ strncpy(dest, src, len);
destlen -= len;
dest += len;
}
@@ -246,17 +280,20 @@
q = lp.lp_created_for;
} else if (is_var(p, "%%")) {
q = "%";
- } else
- q = p;
+ }
/* copy the stuff over. if we don't understand something that we
* should, just skip it over. */
if (q) {
- len = MIN(p == q ? 2 : strlen(q), destlen);
+ len = MIN(strlen(q), destlen);
+ len = quote(dest, q, destlen, len);
+ }
+ else {
+ len = MIN(2, destlen);
strncpy(dest, q, len);
- dest += len;
- destlen -= len;
}
+ dest += len;
+ destlen -= len;
/* stuff up to next $ */
src = p + 2;
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
