Netatalk Security Advisory
| Subject | papd daemon vulnerable to remote command execution |
|---|---|
| CVE ID# | CVE-2008-5718 |
| Date | 2009/11/10 advisory published retroactively; date is approximate |
| Versions | 2.0.0 - 2.0.4 |
| Summary | Remote attacker able to execute arbitrary commands in a print request |
Description
The papd daemon in Netatalk before version 2.0.5, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title.
The vulnerability is caused by the papd daemon improperly sanitising several received parameters before passing them in a call to “popen()”. This can be exploited to execute arbitrary commands via a specially crafted printing request.
Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.
Patch Availability
Apply the patches with git hash 7fdf387 and f850662 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.0.5 has been released which contains the security patches. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
Note that the previous release, Netatalk 2.0.4, contained a partial fix for this vulnerability.
CVSS Calculation
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C (9.3)
Workaround
None.
Credits
Vulnerability found and reported by:
Thomas Biege from the SUSE Security Team
Patch developed by:
Didier Gautheron and Frank Lahm of the Netatalk team
Go back to the Security Policy.
