Ubuntu
netatalk package

CVE 2008-5718 in netatalk

Bug #318670 reported by Bhavani Shankar
280
Affects Status Importance Assigned to Milestone
netatalk (Debian)
Fix Released
Unknown
netatalk (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: netatalk

The papd daemon in Netatalk before 2.0.4-beta2 allows remote attackers to execute arbitrary commands via shell metacharacters in a print request.

References:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-5718
Debian bug #510585
http://web.nvd.nist.gov/view/vuln/detail;jsessionid=e79c8051adde751400a5a8d3b861?execution=e1s1

See original description

CVE References

Bhavani Shankar (bhavi)
description: updated
Bhavani Shankar (bhavi)
description: updated
Changed in netatalk:
status: New → Confirmed
Revision history for this message
Bhavani Shankar (bhavi) wrote :
Revision history for this message
Bhavani Shankar (bhavi) wrote :

Fix is synced from debian and tested on x86 platform on ubuntu

Complete report and test is given here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510585

Regards

Bhavani Shankar (bhavi)
description: updated
Bhavani Shankar (bhavi)
Changed in netatalk:
assignee: nobody → bhavi
status: Confirmed → In Progress
Revision history for this message
Bhavani Shankar (bhavi) wrote :
Bhavani Shankar (bhavi)
Changed in netatalk:
status: In Progress → Confirmed
Bhavani Shankar (bhavi)
Changed in netatalk:
status: Confirmed → New
Marc Deslauriers (mdeslaur)
Changed in netatalk:
status: New → In Progress
Revision history for this message
Bhavani Shankar (bhavi) wrote :
Revision history for this message
Bhavani Shankar (bhavi) wrote :
Revision history for this message
Bhavani Shankar (bhavi) wrote :

Patch applies and tested on ubuntu x86 platforms....

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

I took a look at the debdiffs. Here are my comments:

netatalk uses patch systems. netatalk in Dapper uses cdbs, while the others use quilt. You have applied a patch directly to source when you need to use the patch systems. See:
https://wiki.ubuntu.com/PackagingGuide/PatchSystems

Also, could you name the updates according to the guidelines from here: https://wiki.ubuntu.com/SecurityUpdateProcedures

eg:
Dapper = 2.0.3-3ubuntu1.1
Gutsy = 2.0.3-6ubuntu1.1
Hardy = 2.0.3-9ubuntu0.1
Intrepid = 2.0.3-11ubuntu1.8.10.1

Thanks!

Revision history for this message
Bhavani Shankar (bhavi) wrote :

Ok! but my college is going to start tomorrow and I am afraid I will not have time to contribute .. So I am setting the status to new..

Changed in netatalk:
assignee: bhavi → nobody
status: In Progress → New
Jamie Strandboge (jdstrand)
Changed in netatalk:
status: New → Triaged
status: New → Triaged
status: New → Triaged
status: New → Triaged
Marc Deslauriers (mdeslaur)
Changed in netatalk:
status: New → Confirmed
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in netatalk (Ubuntu Gutsy):
status: Triaged → Won't Fix
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug is still marked as confirmed in later versions of Ubuntu.

Changed in netatalk (Ubuntu Intrepid):
status: Triaged → Invalid
Steve Beattie (sbeattie)
tags: added: patch-needswork
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

This bug has been fixed in Debian since version 2.0.4~beta2-1, which has been synced into Ubuntu since Jaunty. I'll leave the tasks for Dapper and Hardy open as they are still covered by LTS but will mark it as fixed in the current version

Changed in netatalk (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in netatalk (Debian):
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in netatalk (Ubuntu Dapper):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in netatalk (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.