Netatalk Security Advisory
- Subject
- papd daemon vulnerable to remote command execution
- CVE ID
- CVE-2008-5718
- Date of Publishing
- 2009/11/10 advisory published retroactively; date is approximate
- Affected Netatalk Versions
- 2.0.0 - 2.0.4
- Summary
- Remote attacker able to execute arbitrary commands in a print request
Description
The papd daemon in Netatalk before version 2.0.5, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title.
The vulnerability is caused by the papd daemon improperly sanitising several received parameters before passing them in a call to "popen()". This can be exploited to execute arbitrary commands via a specially crafted printing request.
Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.
Patch Availability
Apply the patches with git hash 7fdf387 and f850662 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.0.5 has been released which contains the security patches. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
Note that the previous release, Netatalk 2.0.4, contained a partial fix for this vulnerability.
CVSS Calculation
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C (9.3)
Workaround
None.
Credits
- Vulnerability found and reported by:
- Thomas Biege from the SUSE Security Team
- Patch developed by:
- Didier Gautheron and Frank Lahm of the Netatalk team
