Netatalk Security Advisory
| Subject | papd daemon vulnerable to remote command execution |
|---|---|
| CVE ID# | CVE-2008-5718 |
| Date | 2009/11/10 advisory published retroactively; date is approximate |
| Versions | 2.0.0 - 2.0.4 |
| Summary | Remote attacker able to execute arbitrary commands in a print request |
Description
The papd daemon in Netatalk contains a vulnerability where specific variables within a pipe command for handling print files can enable remote attackers to run arbitrary commands.
This can be achieved by embedding shell metacharacters in a print request, such as by manipulating the Title field in a maliciously crafted request.
The vulnerability is caused by the papd daemon improperly sanitising several received parameters before passing them in a call to “popen()”. This can be exploited to execute arbitrary commands via a specially crafted printing request.
Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.
Patch Availability
Apply the patches with git hash 7fdf387 and f850662 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.0.5 has been released which contains the security patches. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
Note that the previous release, Netatalk 2.0.4, contained a partial fix for this vulnerability.
CVSS Calculation
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C (9.3)
Workaround
None.
Credits
Vulnerability found and reported by:
Thomas Biege from the SUSE Security Team
Patch developed by:
Didier Gautheron and Frank Lahm of the Netatalk team
Go back to the Security Policy.
