rpms/netatalk/F-9 netatalk-2.0.3-papd_cmds.patch, NONE, 1.1 netatalk-2.0.3-fpsyncdir.patch, 1.1, 1.2 netatalk.spec, 1.45, 1.46

Jiri Skala jskala at fedoraproject.org
Mon Feb 16 21:03:16 UTC 2009 

Author: jskala

Update of /cvs/extras/rpms/netatalk/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10576

Modified Files:
	netatalk-2.0.3-fpsyncdir.patch netatalk.spec 
Added Files:
	netatalk-2.0.3-papd_cmds.patch 
Log Message:
* Mon Feb 16 2009 Jiri Skala <jskala at redhat.com> - 4:2.0.3-21
- fix #480641 - CVE-2008-5718 netatalk: papd command injection vulnerability


netatalk-2.0.3-papd_cmds.patch:

--- NEW FILE netatalk-2.0.3-papd_cmds.patch ---
diff -Nurad netatalk-2.0.3.orig/etc/papd/lp.c netatalk-2.0.3/etc/papd/lp.c
--- netatalk-2.0.3.orig/etc/papd/lp.c	2009-01-28 17:04:36.000000000 +0100
+++ netatalk-2.0.3/etc/papd/lp.c	2009-01-28 17:05:01.000000000 +0100
@@ -212,10 +212,54 @@
 
 #define is_var(a, b) (strncmp((a), (b), 2) == 0)
 
+static size_t quote(char *dest, char *src, const size_t bsize, size_t len) {
+	size_t used = 0;
+
+	while (len && used < bsize ) {
+		switch (*src) {
+			case '$':
+			case '\\':
+			case '"':
+			case ';':
+			case '&':
+			case '(':
+			case ')':
+			case ' ':
+			case '*':
+			case '#':
+			case '|':
+			case '>':
+			case '<':
+			case '[':
+			case ']':
+			case '{':
+			case '}':
+			case '^':
+			case '?':
+			case '~':
+			case '`':
+			case '\x0A':
+			case '\xFF':
+				if (used + 2 > bsize )
+					return used;
+				*dest = '\\';
+				dest++;
+				used++;
+				break;
+		}
+		*dest = *src;
+		src++;
+		dest++;
+		len--;
+		used++;
+	}
+	return used;
+}
+
 static char* pipexlate(char *src)
 {
     char *p, *q, *dest; 
-    static char destbuf[MAXPATHLEN];
+    static char destbuf[MAXPATHLEN + 1];
     size_t destlen = MAXPATHLEN;
     int len = 0;
    
@@ -224,13 +268,16 @@
     if (!src)
 	return NULL;
 
-    strncpy(dest, src, MAXPATHLEN);
-    if ((p = strchr(src, '%')) == NULL) /* nothing to do */
+    memset(dest, 0, sizeof(destbuf));
+    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+        strncpy(dest, src, sizeof(dest) - 1);
         return destbuf;
+    }
 
     /* first part of the path. just forward to the next variable. */
     len = MIN((size_t)(p - src), destlen);
     if (len > 0) {
+        strncpy(dest, src, len);
         destlen -= len;
         dest += len;
     }
@@ -246,17 +293,20 @@
             q =  lp.lp_created_for;
         } else if (is_var(p, "%%")) {
             q = "%";
-        } else
-            q = p;
+        }
 
         /* copy the stuff over. if we don't understand something that we
          * should, just skip it over. */
         if (q) {
-            len = MIN(p == q ? 2 : strlen(q), destlen);
+            len = MIN(strlen(q), destlen);
+            len = quote(dest, q, destlen, len);
+        }
+        else {
+            len = MIN(2, destlen);
             strncpy(dest, q, len);
-            dest += len;
-            destlen -= len;
         }
+        dest += len;
+        destlen -= len;
 
         /* stuff up to next $ */
         src = p + 2;

netatalk-2.0.3-fpsyncdir.patch:

Index: netatalk-2.0.3-fpsyncdir.patch
===================================================================
RCS file: /cvs/extras/rpms/netatalk/F-9/netatalk-2.0.3-fpsyncdir.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- netatalk-2.0.3-fpsyncdir.patch	15 Jan 2009 10:08:38 -0000	1.1
+++ netatalk-2.0.3-fpsyncdir.patch	16 Feb 2009 21:03:15 -0000	1.2
@@ -51,7 +51,7 @@
  extern int	afp_enumerate __P((AFPObj *, char *, unsigned int, char *, unsigned int *));
 --- netatalk/etc/afpd/directory.c	2008-05-14 15:30:52.000000000 +0200
 +++ netatalk.syncdir/etc/afpd/directory.c	2008-05-14 15:36:36.000000000 +0200
-@@ -2271,6 +2271,53 @@
+@@ -1962,6 +1962,53 @@
      return err;
  }
  
@@ -103,5 +103,5 @@
 +}
 +
  int afp_createdir(obj, ibuf, ibuflen, rbuf, rbuflen )
- AFPObj  *obj;
+ AFPObj      *obj;
  char	*ibuf, *rbuf;


Index: netatalk.spec
===================================================================
RCS file: /cvs/extras/rpms/netatalk/F-9/netatalk.spec,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- netatalk.spec	15 Jan 2009 10:08:38 -0000	1.45
+++ netatalk.spec	16 Feb 2009 21:03:15 -0000	1.46
@@ -1,7 +1,7 @@
 Summary: AppleTalk networking programs
 Name:    netatalk
 Version: 2.0.3
-Release: 20%{?dist}
+Release: 21%{?dist}
 Epoch:   4
 License: GPL
 Group:   System Environment/Daemons
@@ -23,6 +23,7 @@
 Patch9:  netatalk-2.0.3-multiarch.patch
 Patch10: netatalk-2.0.3-fpsyncdir.patch
 Patch11: netatalk-2.0.3-no-verb-chkpoint.patch
+Patch12: netatalk-2.0.3-papd_cmds.patch
 Url:	 http://netatalk.sourceforge.net/
 Requires: pam
 Requires(post): /sbin/chkconfig /sbin/ldconfig
@@ -62,6 +63,7 @@
 %patch9  -p1 -b .multiarch
 %patch10 -p1 -b .fpsyncdir
 %patch11 -p1 -b .no-verb-chkpoint
+%patch12 -p1 -b .papd_cmds
 
 ln -s ./NEWS ChangeLog
 
@@ -204,6 +206,9 @@
 %{_mandir}/man*/netatalk-config.1*
 
 %changelog
+* Mon Feb 16 2009 Jiri Skala <jskala at redhat.com> - 4:2.0.3-21
+- fix #480641 - CVE-2008-5718 netatalk: papd command injection vulnerability
+
 * Thu Jan 15 2009 Jiri Skala <jskala at redhat.com> - 4:2.0.3-20
 - fix #453072 -  netatalk should use dbd cnid by default
 - fix #453073 -  netatalk: add FPSyncDir patch for Time Machine

More information about the scm-commits mailing list