Re: [Netatalk-devel] Regarding CVE-2008-5718 patch correction (fwd)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

2009/7/17 Frank Lahm <fra...@go...>:
> 2009/7/16 Andrew Morgan <mo...@or...>:
>> On Thu, 16 Jul 2009, Frank Lahm wrote:
>>
>>> 2009/7/15 didier <dga...@ma...>:
>>>>
>>>> Hi,
>>>> Le mercredi 15 juillet 2009 à 10:11 +0200, Frank Lahm a écrit :
>>>>>
>>>>> 2009/7/14 Andrew Morgan <mo...@or...>:
>>>>> > Any thoughts on this?
>>>>>
>>>>> until Didier throws in his opinion I'd just like to say two things:
>>>>> - papd.conf ought to be writable for root only, so why care anyway ?
>>>>> - as Robert suggests, if neccessary at all we should be replacing
>>>>> popen with fork'n'exec instead of implementing some sophisticated
>>>>> quoting logic
>>>>>
>>>>> Anyhow, I'm curious on what Didier has to say on this!
>>>>
>>>> Get ride of the whole substitution stuff:
>>>> - papd is legacy.
>>>> - %U doesn't work anymore.
>>>> - You can't get it right, I don't remember why I disliked this patch but
>>>> I had issues with it.
>>>> - Anyway nobody uses this functionality, it was broken for years and we
>>>> got exactly 0 bug report about "wildcards" doesn't work.
>>>
>>> Ok. If nobody complains _now_, I'll remove it and update the docs.
>>
>> Should we make a security release to fix this, or wait until our next
>> scheduled release?
>
> Most distributions (all I'm aware of) have a patch applied downstream
> anyway, so there's no need push things.
> I'll fix it HEAD so it will be in the next major release i.e. 2.1.

I've fixed it in head and in the 2.0 branch, both papd and the docs.
Hopefully I got hold of any part in the docs mentioning it. This means
we must also update the online manual when we release 2.0.5. You're
welcome to remind me of this when time comes.

I've upped VERSION to 2.0.5dev and updated NEWS.

-Frank