Debian: DSA-1705-1: New netatalk packages fix arbitrary code execution

    Date15 Jan 2009
    CategoryDebian
    28
    Posted ByLinuxSecurity Advisories
    It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1705-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    January 15th, 2009                      http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : netatalk
    Vulnerability  : missing input sanitising
    Problem type   : local(remote)
    Debian-specific: no
    CVE ID         : CVE-2008-5718
    Debian Bug     : 510585
    
    It was discovered that netatalk, an implementation of the AppleTalk
    suite, is affected by a command injection vulnerability when processing
    PostScript streams via papd.  This could lead to the execution of
    arbitrary code.  Please note that this only affects installations that are
    configured to use a pipe command in combination with wildcard symbols
    substituted with values of the printed job.
    
    For the stable distribution (etch) this problem has been fixed in
    version 2.0.3-4+etch1.
    
    For the upcoming stable distribution (lenny) this problem has been fixed
    in version 2.0.3-11+lenny1.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 2.0.4~beta2-1.
    
    We recommend that you upgrade your netatalk package.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.diff.gz
        Size/MD5 checksum:    27582 efc06139ef2adba4ca71c4ff9effefd2
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3.orig.tar.gz
        Size/MD5 checksum:  1920570 17917abd7d255d231cc0c6188ccd27fb
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.dsc
        Size/MD5 checksum:      822 eb3fc44340caed42978dea8b8e8cc53d
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_alpha.deb
        Size/MD5 checksum:   869526 2a7d4250ee8380227231cd68cc70b5e4
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_amd64.deb
        Size/MD5 checksum:   751530 67f12f90fa7e11d8dfa791f36ee05e22
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_arm.deb
        Size/MD5 checksum:   729204 14b32580e4d93588404c1669074f9f09
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_hppa.deb
        Size/MD5 checksum:   800306 26eb091564c8077955d41ac42b585868
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_i386.deb
        Size/MD5 checksum:   706600 542cfc6b12f76ed4a068a389fa059372
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_ia64.deb
        Size/MD5 checksum:  1007572 a5393f96b01e65c8daece94babe663c2
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mips.deb
        Size/MD5 checksum:   776996 5d25c6809bfd2c3a6d3b29be1bd5e5e4
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mipsel.deb
        Size/MD5 checksum:   773318 c6393e566664dbd1959e7c154ae90e37
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_powerpc.deb
        Size/MD5 checksum:   757606 ba364451858fc30ce3a4e2996ab316b0
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_s390.deb
        Size/MD5 checksum:   770290 7970c3e8038bd51b6089cf824af789d6
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_sparc.deb
        Size/MD5 checksum:   711964 fe24e2794125763c9548f522fd152a88
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.