CVE-2008-5718: arbitrary command execution in papd in netatalk

Debian Bug report logs - #510585
CVE-2008-5718: arbitrary command execution in papd in netatalk

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: submit@bugs.debian.org

Cc: security@debian.org

Subject: CVE-2008-5718: arbitrary command execution in papd in netatalk

Date: Sat, 3 Jan 2009 13:36:50 +0100

Package: netatalk
Version: 2.0.3-4
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for netatalk.

CVE-2008-5718[0]:
| The papd daemon in Netatalk before 2.0.4-beta2 allows remote 
attackers
| to execute arbitrary commands via shell metacharacters in a print
| request.  NOTE: some of these details are obtained from third party
| information.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718
    http://security-tracker.debian.net/tracker/CVE-2008-5718

Message #10 received at 510585@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Stefan Fritsch <sf@sfritsch.de>, 510585@bugs.debian.org

Subject: Re: Bug#510585: CVE-2008-5718: arbitrary command execution in papd in netatalk

Date: Wed, 7 Jan 2009 20:11:41 +0100

[Message part 1 (text/plain, inline)]

tags 510585 + patch
thanks

Hi,
* Stefan Fritsch <sf@sfritsch.de> [2009-01-03 14:33]:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for netatalk.
> 
> CVE-2008-5718[0]:
> | The papd daemon in Netatalk before 2.0.4-beta2 allows remote attackers
> | to execute arbitrary commands via shell metacharacters in a print
> | request.  NOTE: some of these details are obtained from third party
> | information.
[...] 

Upstream fix:
http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch

I can confirm that an attacker can execute arbitrary code 
without this fix. The output of the pixelate function is 
just put into popen without any sanitization.

Cheers
NIco
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #17 received at 510585@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: Nico Golde <nion@debian.org>, 510585@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#510585: CVE-2008-5718: arbitrary command execution in papd in netatalk

Date: Thu, 8 Jan 2009 00:58:58 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 510585 pending
thanks

On Wed, Jan 07, 2009 at 08:11:41PM +0100, Nico Golde wrote:
>Upstream fix:
>http://netatalk.cvs.sourceforge.net/viewvc/netatalk/netatalk/etc/papd/lp.c?r1=1.16&r2=1.17&view=patch
>
>I can confirm that an attacker can execute arbitrary code 
>without this fix. The output of the pixelate function is 
>just put into popen without any sanitization.

Thanks for isloating and testing the minimal patch.

I am almost ready to release a new packaging release based on the 
upstream prerelease, and will prepare security releases for Etch and 
Lenny based on above minimal patch.


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkllQcEACgkQn7DbMsAkQLhkdgCfRfQcCVus4vjmxxcIKoT5cXDK
8VsAn2bGCGkJASDTWX8AiR/Y5knJz+v7
=RMx/
-----END PGP SIGNATURE-----

Message #24 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.4~beta2-1

Date: Fri, 09 Jan 2009 15:02:35 +0000

Source: netatalk
Source-Version: 2.0.4~beta2-1

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.4~beta2-1.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-1.diff.gz
netatalk_2.0.4~beta2-1.dsc
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-1.dsc
netatalk_2.0.4~beta2-1_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-1_amd64.deb
netatalk_2.0.4~beta2.orig.tar.gz
  to pool/main/n/netatalk/netatalk_2.0.4~beta2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Jan 2009 05:52:18 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.4~beta2-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.4~beta2-1) unstable; urgency=high
 .
   * New upstream prerelease:
     + Quote chars in papd popen variables expansion (and other fixes to
       papd). Fixes remote execution security hole CVE-2008-5718. Closes:
       bug#510585.
   * Mangle upstream tarball beta version.
   * Drop patches 000 and 001 contained upstream now.
   * Unfuzz patches 107, 109, 205 and 212.
   * Unfuzz and enable patches 204a, 207a, 208, 209 and 211.
   * Build new DHX2 UAM:
     + Build-depend on libgcrypt11-dev
     + Configure with --with-libgcrypt
     + Drop SSL note from README.Debian
     + Add NEWS entry regarding new and recommended DHX2 UAM
   * Disable CDBS autotools reconfiguration.
   * Update cdbs snippets:
     + Move dependency cleanup to new local snippet package-relations.mk.
     + Update copyright-check output to more closely match proposed new
       copyright file format.
     + Several minor improvements to upstream-tarball.mk.
     + Compact simple licenses (those without ' or later') in
       copyright-check.mk
     + Fix use underscore (not dash) in internal variable
     + Ignore only debian changelog and copyright-related files by
       default in copyright-check.mk
     + Correct and update copyright hints of the snippets themselves
     + Update README.cdbs-tweaks.
   * Add DEB_MAINTAINER_MODE in debian/rules (thanks to Romain Beauxis).
   * Stop installing README.ids no longer provided upstream.
   * Rewrite debian/copyright using new new format specification, and
     update copyright hints.
   * Semi-auto-update debian/control to update dependencies:
       DEB_MAINTAINER_MODE=1 fakeroot debian/rules clean
   * Set urgency=high due to security fix.
Checksums-Sha1: 
 d31b4ffa2c96f2acb08781ec65856c1320c7fb61 1584 netatalk_2.0.4~beta2-1.dsc
 fa8c8302f953274ccf5e243a43baf448f24ab518 1340353 netatalk_2.0.4~beta2.orig.tar.gz
 f99d918e21c25a734abcdfde19786e84977db449 57639 netatalk_2.0.4~beta2-1.diff.gz
 074a588f3dedf1ad9d12cb6f53dc8be074f15dfb 843970 netatalk_2.0.4~beta2-1_amd64.deb
Checksums-Sha256: 
 d1c5896d9c492942592b330a337db7be12f5d7c89953a29acb7d29e8570f44ed 1584 netatalk_2.0.4~beta2-1.dsc
 82fa9934513872b1df1de54f1a0dbd752bb45d175d116ba870e0bbb44c6f18f7 1340353 netatalk_2.0.4~beta2.orig.tar.gz
 e9dcecdd36390f7ee49d8bc51d36ab6b8733c37d7a8755f462687715fd3b031d 57639 netatalk_2.0.4~beta2-1.diff.gz
 1b606a28523f97eb6ef52a9a55b52d5218244328d36567fa5ab65a16e8211490 843970 netatalk_2.0.4~beta2-1_amd64.deb
Files: 
 cf515298a86ea660ed0e5b7b5c06c762 1584 net extra netatalk_2.0.4~beta2-1.dsc
 c1a1266a78179e758a51748f4ead1c3d 1340353 net extra netatalk_2.0.4~beta2.orig.tar.gz
 6c3ff68df468f2585e69c036798ccf5b 57639 net extra netatalk_2.0.4~beta2-1.diff.gz
 02377b362a2f4a7ddd6e1c752bfd3652 843970 net extra netatalk_2.0.4~beta2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklnY24ACgkQn7DbMsAkQLiWSACcDOLc3Sl3A4cyolDspvZFjQBH
6HoAn3xWRItzqkz1a4BiGWjWjVUHEr7P
=x9Sj
-----END PGP SIGNATURE-----

Message #29 received at 510585@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 510585@bugs.debian.org

Subject: Re: Bug#510585: fixed in netatalk 2.0.4~beta2-1

Date: Mon, 12 Jan 2009 07:55:51 +0100

Hi

This 'security' update fixes the bug in unstable, though it doesn't seem
to be meant for lenny:

 367 files changed, 57532 insertions(+), 74819 deletions(-)

Can an upload be prepared with targeted fixes for the security issue?

Cheers

Luk

Message #34 received at 510585@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Luk Claes <luk@debian.org>, 510585@bugs.debian.org

Subject: Re: Bug#510585: fixed in netatalk 2.0.4~beta2-1

Date: Tue, 13 Jan 2009 11:33:58 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Luk Claes <luk@debian.org> [2009-01-12 11:31]:
> This 'security' update fixes the bug in unstable, though it doesn't seem
> to be meant for lenny:
> 
>  367 files changed, 57532 insertions(+), 74819 deletions(-)
> 
> Can an upload be prepared with targeted fixes for the security issue?

Initially Jonas wanted to prepare updates but I somehow 
don't reach him anymore at the moment. I am currently 
preparing updates for lenny and stable.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.3-11+lenny1

Date: Tue, 13 Jan 2009 18:47:22 +0000

Source: netatalk
Source-Version: 2.0.3-11+lenny1

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.3-11+lenny1.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.3-11+lenny1.diff.gz
netatalk_2.0.3-11+lenny1.dsc
  to pool/main/n/netatalk/netatalk_2.0.3-11+lenny1.dsc
netatalk_2.0.3-11+lenny1_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.3-11+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 13 Jan 2009 11:48:33 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.3-11+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.3-11+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix arbitrary code execution via a crafted PostScript stream
     used in a print request if papd is configured to use a pipe
     command and makes use of variable expansion
     (CVE-2008-5718; Closes: #510585).
Checksums-Sha1: 
 4341ada499e17ef13558af8c55c7892b315588c6 1560 netatalk_2.0.3-11+lenny1.dsc
 5f94d9691e14ccf66e37664afc73bb0c31bc8437 1920570 netatalk_2.0.3.orig.tar.gz
 8c000b18e89de14e40cc26d11ad2d5c5bd6d31e9 99876 netatalk_2.0.3-11+lenny1.diff.gz
 c00f719dd2f43f3de5120abe9b8d199a49a8f7ac 784224 netatalk_2.0.3-11+lenny1_amd64.deb
Checksums-Sha256: 
 c1851dfacddc2e01ec386880a3b1c23894bc81b2606250f7b70982a979960065 1560 netatalk_2.0.3-11+lenny1.dsc
 b6e01cfc0b4223f60fd994eee950635b165d54a96cf63bbe607a5ff64355bd8c 1920570 netatalk_2.0.3.orig.tar.gz
 6ecaed87c63402ca4b86d167f697ff89e83407a6c7c6f0d420cc3b22f2709386 99876 netatalk_2.0.3-11+lenny1.diff.gz
 1c3c8b4fd796533a98d773a6ece3ddc15f9863187953186494c36523e7a4db2f 784224 netatalk_2.0.3-11+lenny1_amd64.deb
Files: 
 5f22d08d3bc61f566308896cb8c9dc6a 1560 net extra netatalk_2.0.3-11+lenny1.dsc
 17917abd7d255d231cc0c6188ccd27fb 1920570 net extra netatalk_2.0.3.orig.tar.gz
 a93d2d1d04218f404481ea796e899b27 99876 net extra netatalk_2.0.3-11+lenny1.diff.gz
 3fb5a7beb4b834b1e126efbb04da16d9 784224 net extra netatalk_2.0.3-11+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklsi7UACgkQHYflSXNkfP82XQCgiPvAoiwVguGnN1CG6HBNinZq
LjMAnR0/lmt7GoxL5saCor/bbdrfpGu4
=Tyfx
-----END PGP SIGNATURE-----

Message #44 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.3-4+etch4

Date: Mon, 26 Jan 2009 13:52:50 +0000

Source: netatalk
Source-Version: 2.0.3-4+etch4

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.3-4+etch4.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.diff.gz
netatalk_2.0.3-4+etch4.dsc
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.dsc
netatalk_2.0.3-4+etch4_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Jan 2009 15:47:49 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.3-4+etch4
Distribution: stable-security
Urgency: low
Maintainer: Sebastian Rittau <srittau@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.3-4+etch4) stable-security; urgency=low
 .
   * Non-maintainer upload by the Security Team.
   * Fix arbitrary code execution via a crafted PostScript stream
     used in a print request if papd is configured to use a pipe
     command and makes use of variable expansion
     (CVE-2008-5718; Closes: #510585).
Files: 
 eb3fc44340caed42978dea8b8e8cc53d 822 net extra netatalk_2.0.3-4+etch4.dsc
 efc06139ef2adba4ca71c4ff9effefd2 27582 net extra netatalk_2.0.3-4+etch4.diff.gz
 67f12f90fa7e11d8dfa791f36ee05e22 751530 net extra netatalk_2.0.3-4+etch4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkluCkcACgkQHYflSXNkfP8/xQCfTQ98O3BQfMePCJoMWQ3WdAHo
Hy0AoJJracasopLRewQXU1zyBJHSFiL2
=uTqq
-----END PGP SIGNATURE-----

Message #49 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.4~beta2-4.1

Date: Thu, 29 Jan 2009 11:02:05 +0000

Source: netatalk
Source-Version: 2.0.4~beta2-4.1

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.4~beta2-4.1.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-4.1.diff.gz
netatalk_2.0.4~beta2-4.1.dsc
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-4.1.dsc
netatalk_2.0.4~beta2-4.1_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.4~beta2-4.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 11:32:54 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.4~beta2-4.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.4~beta2-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix incomplete upstream patch for CVE-2008-5718 by
     escaping every problematic character and not only those which
     enables an attacker to execute arbitrary code
     (213_CVE-2008-5718.patch; Closes: #510585).
Checksums-Sha1: 
 c22b4cd8efe54875f908fff2283eddc9666243d7 1595 netatalk_2.0.4~beta2-4.1.dsc
 9fa66db7b7cc6ac01a0940fa3e385761b3c069b9 93166 netatalk_2.0.4~beta2-4.1.diff.gz
 f450fe3ad9eaccad5a838a486fc88ef04ca953a5 853688 netatalk_2.0.4~beta2-4.1_amd64.deb
Checksums-Sha256: 
 5cb07c444d8f754c3411ff2b7913b35c132582b30950bbbb0599a37b5f263715 1595 netatalk_2.0.4~beta2-4.1.dsc
 a7239a8b61e8651b0d8b8dd71ce501fa1962b0cc581ed036244de5986edb3765 93166 netatalk_2.0.4~beta2-4.1.diff.gz
 f0e767965c5b9b521d6e767145bd2f62093c7490730436bfb8a0db12bd45fd4c 853688 netatalk_2.0.4~beta2-4.1_amd64.deb
Files: 
 b80f898f20edf6f269da21f8b93ec6a4 1595 net extra netatalk_2.0.4~beta2-4.1.dsc
 d757dfadc93a18c0727992ee3c9bc8c1 93166 net extra netatalk_2.0.4~beta2-4.1.diff.gz
 cbe016504d998f469fe17928d358950d 853688 net extra netatalk_2.0.4~beta2-4.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmBiPIACgkQHYflSXNkfP82hQCeOQGvZ+7JwlLciwPwqRmmqieM
O9wAnjTxwOQJiiSw36UUDwx4doG4ZeHC
=rr1S
-----END PGP SIGNATURE-----

Message #54 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.3-4+etch4

Date: Thu, 05 Feb 2009 13:52:28 +0000

Source: netatalk
Source-Version: 2.0.3-4+etch4

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.3-4+etch4.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.diff.gz
netatalk_2.0.3-4+etch4.dsc
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.dsc
netatalk_2.0.3-4+etch4_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Jan 2009 17:08:40 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.3-4+etch4
Distribution: stable-security
Urgency: high
Maintainer: Sebastian Rittau <srittau@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.3-4+etch4) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix incomplete patch for CVE-2008-5718 by updating
     213_CVE-2008-5718.patch to also quote a few missing characters
     that allow overwriting arbitrary files (Closes: #510585).
Files: 
 24e5e47499a0a1dfd5431e4a6155b7b3 822 net extra netatalk_2.0.3-4+etch4.dsc
 434f6f5d9457398a673ec69bb30307ab 27721 net extra netatalk_2.0.3-4+etch4.diff.gz
 b8a5955988a0d59901faf4ed0464fbd6 751502 net extra netatalk_2.0.3-4+etch4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmAhNQACgkQHYflSXNkfP/wCQCgmzBxE9Q3iMTqNegRw49cGGRf
dxUAoLQpcSt8ShoKB43Jvrsw25po0//4
=r/TJ
-----END PGP SIGNATURE-----

Message #59 received at 510585-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510585-close@bugs.debian.org

Subject: Bug#510585: fixed in netatalk 2.0.3-4+etch4

Date: Mon, 09 Feb 2009 21:35:43 +0000

Source: netatalk
Source-Version: 2.0.3-4+etch4

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive:

netatalk_2.0.3-4+etch4.diff.gz
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.diff.gz
netatalk_2.0.3-4+etch4.dsc
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4.dsc
netatalk_2.0.3-4+etch4_amd64.deb
  to pool/main/n/netatalk/netatalk_2.0.3-4+etch4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Jan 2009 17:08:40 +0100
Source: netatalk
Binary: netatalk
Architecture: source amd64
Version: 2.0.3-4+etch4
Distribution: stable-security
Urgency: high
Maintainer: Sebastian Rittau <srittau@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 netatalk   - AppleTalk user binaries
Closes: 510585
Changes: 
 netatalk (2.0.3-4+etch4) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix incomplete patch for CVE-2008-5718 by updating
     213_CVE-2008-5718.patch to also quote a few missing characters
     that allow overwriting arbitrary files (Closes: #510585).
Files: 
 24e5e47499a0a1dfd5431e4a6155b7b3 822 net extra netatalk_2.0.3-4+etch4.dsc
 434f6f5d9457398a673ec69bb30307ab 27721 net extra netatalk_2.0.3-4+etch4.diff.gz
 b8a5955988a0d59901faf4ed0464fbd6 751502 net extra netatalk_2.0.3-4+etch4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmAhNQACgkQHYflSXNkfP/wCQCgmzBxE9Q3iMTqNegRw49cGGRf
dxUAoLQpcSt8ShoKB43Jvrsw25po0//4
=r/TJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.