netatalk.io

Netatalk Security Advisory

Subject
papd daemon vulnerable to remote command execution
CVE ID
CVE-2008-5718
Date of Publishing
2009/11/10 advisory published retroactively; date is approximate
Affected Netatalk Versions
2.0.0 - 2.0.4
Summary
Remote attacker able to execute arbitrary commands in a print request

Description

The papd daemon in Netatalk before version 2.0.5, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title.

The vulnerability is caused by the papd daemon improperly sanitising several received parameters before passing them in a call to "popen()". This can be exploited to execute arbitrary commands via a specially crafted printing request.

Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.

Patch Availability

Apply the patches with git hash 7fdf387 and f850662 to hotfix your local Netatalk deployment.

Additionally, Netatalk 2.0.5 has been released which contains the security patches. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.

Note that the previous release, Netatalk 2.0.4, contained a partial fix for this vulnerability.

CVSS Calculation

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C (9.3)

Workaround

None.

Credits

Vulnerability found and reported by:
Thomas Biege from the SUSE Security Team
Patch developed by:
Didier Gautheron and Frank Lahm of the Netatalk team

Go back to Support