diff -u netatalk-2.0.3/debian/control netatalk-2.0.3/debian/control
--- netatalk-2.0.3/debian/control
+++ netatalk-2.0.3/debian/control
@@ -1,7 +1,8 @@
 Source: netatalk
 Section: net
 Priority: extra
-Maintainer: Jonas Smedegaard <dr@jones.dk>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jonas Smedegaard <dr@jones.dk>
 Build-Depends: cdbs (>= 0.4.39), autotools-dev, debhelper (>= 4.2.0), libtool, automake1.10, autoconf, quilt, patchutils (>= 0.2.25), dh-buildinfo, devscripts (>= 2.10.7), libdb-dev, libwrap0-dev, libpam0g-dev, libavahi-client-dev (>= 0.6), libcupsys2-dev, libkrb5-dev, libltdl3-dev, d-shlibs (>> 0.19)
 Build-Conflicts: libavahi-compat-libdnssd-dev
 Uploaders: Sebastian Rittau <srittau@debian.org>, Jonas Smedegaard <dr@jones.dk>
diff -u netatalk-2.0.3/debian/changelog netatalk-2.0.3/debian/changelog
--- netatalk-2.0.3/debian/changelog
+++ netatalk-2.0.3/debian/changelog
@@ -1,3 +1,18 @@
+netatalk (2.0.3-9ubuntu0.8.04.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE: LP: #318670
+    + etc/papd:
+      - Quote chars in papd popen variables expansion (and other fixes to
+        papd). Fixes remote execution security hole.
+    + debian/control:
+      - Update MaintainerField as per spec.
+
+  * References:
+    + CVE 2008-5718
+    + Debian bug #510585.
+
+ -- Bhavani Shankar <right2bhavi@gmail.com>  Mon, 19 Jan 2009 16:39:30 +0530
+
 netatalk (2.0.3-9) unstable; urgency=low
 
   * Update zeroconf patch (found in Gentoo bug#133575):
only in patch2:
unchanged:
--- netatalk-2.0.3.orig/etc/papd/lp.c
+++ netatalk-2.0.3/etc/papd/lp.c
@@ -212,10 +212,37 @@
 
 #define is_var(a, b) (strncmp((a), (b), 2) == 0)
 
+static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
+{
+size_t used = 0;
+
+    while (len && used < bsize ) {
+        switch (*src) {
+          case '$':
+          case '\\':
+          case '"':
+          case '`':
+            if (used + 2 > bsize )
+              return used;
+            *dest = '\\';
+            dest++;
+            used++;
+            break;
+        }
+        *dest = *src;
+        src++;
+        dest++;
+        len--;
+        used++;
+    }
+    return used;
+}
+
+
 static char* pipexlate(char *src)
 {
     char *p, *q, *dest; 
-    static char destbuf[MAXPATHLEN];
+    static char destbuf[MAXPATHLEN +1];
     size_t destlen = MAXPATHLEN;
     int len = 0;
    
@@ -224,13 +251,15 @@
     if (!src)
 	return NULL;
 
-    strncpy(dest, src, MAXPATHLEN);
-    if ((p = strchr(src, '%')) == NULL) /* nothing to do */
+    memset(dest, 0, MAXPATHLEN +1);
+    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+        strncpy(dest, src, MAXPATHLEN);
         return destbuf;
-
-    /* first part of the path. just forward to the next variable. */
+    }
+    /* first part of the path. copy and forward to the next variable. */
     len = MIN((size_t)(p - src), destlen);
     if (len > 0) {
+        strncpy(dest, src, len);
         destlen -= len;
         dest += len;
     }
@@ -246,17 +275,20 @@
             q =  lp.lp_created_for;
         } else if (is_var(p, "%%")) {
             q = "%";
-        } else
-            q = p;
+        } 
 
         /* copy the stuff over. if we don't understand something that we
          * should, just skip it over. */
         if (q) {
-            len = MIN(p == q ? 2 : strlen(q), destlen);
+            len = MIN(strlen(q), destlen);
+            len = quote(dest, q, destlen, len);
+        }
+        else {
+            len = MIN(2, destlen);
             strncpy(dest, q, len);
-            dest += len;
-            destlen -= len;
         }
+        dest += len;
+        destlen -= len;
 
         /* stuff up to next $ */
         src = p + 2;