Debian: DSA-1704-2: Updated netatalk packages fix denial of service

    Date29 Jan 2009
    CategoryDebian
    58
    Posted ByLinuxSecurity Advisories
    The update in DSA 1704-1 was incomplete as it missed to escape a few important characters which enabled an attacker to overwrite arbitrary files.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1704-2                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    January 30th, 2009                      http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : netatalk
    Vulnerability  : arbitrary code execution
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2008-5718
    Debian Bug     : 510585
    
    The update in DSA 1704-1 was incomplete as it missed to escape a few
    important characters which enabled an attacker to overwrite arbitrary
    files.
    
    It was discovered that netatalk, an implementation of the AppleTalk
    suite, is affected by a command injection vulnerability when processing
    PostScript streams via papd.  This is leading to arbitrary remote
    code execution.  Note that this only affects installations that are
    configured to use a pipe command in combination with wildcard symbols
    substituted with values of the printed job.
    
    For the stable distribution (etch) this problem has been fixed in
    version 2.0.3-4+etch2.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 2.0.4~beta2-1.1.
    
    We recommend that you upgrade your netatalk package.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2.diff.gz
        Size/MD5 checksum:    27721 434f6f5d9457398a673ec69bb30307ab
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2.dsc
        Size/MD5 checksum:      822 24e5e47499a0a1dfd5431e4a6155b7b3
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3.orig.tar.gz
        Size/MD5 checksum:  1920570 17917abd7d255d231cc0c6188ccd27fb
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_alpha.deb
        Size/MD5 checksum:   869730 bde96c1e64bb233907f09030707dff2a
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_amd64.deb
        Size/MD5 checksum:   751502 b8a5955988a0d59901faf4ed0464fbd6
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_arm.deb
        Size/MD5 checksum:   729434 2037b3d25d6014b3349a7eff040eddb7
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_hppa.deb
        Size/MD5 checksum:   800406 0d3f791475418ce8d4dcff2b4a5ac0b5
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_i386.deb
        Size/MD5 checksum:   706692 f9d73cc2e974b8d3ad968d94def616f3
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_ia64.deb
        Size/MD5 checksum:  1007912 d6322917392bd75b00b00ba3d50e125f
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_mips.deb
        Size/MD5 checksum:   765606 6f09e63d5663495b21954510e56ba2eb
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_mipsel.deb
        Size/MD5 checksum:   773460 ae5779311e770d841fd819df94a13179
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_powerpc.deb
        Size/MD5 checksum:   757730 c6eed701024c155a9e08306d16edd6a9
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_s390.deb
        Size/MD5 checksum:   770510 bdf58f88ed39829c7defcb0d7b623b88
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch2_sparc.deb
        Size/MD5 checksum:   712126 8ea90b6e13fb5f136badaa3878a61474
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":32,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.