Subject: comix: insufficient escaping on shell calls for rar
archives/jpegtran
Date: Sun, 27 Jan 2008 21:29:53 +0200
Package: comix
Version: 3.6.4-1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
Comix uses insufficient shell escaping when calling external programs
(rar/unrar, jpegtran)
6280 files = \
6281 os.popen(self.rar + ' vb "' + path +
6282 '"').readlines()
6305 os.popen(self.rar + ' p -inul -- "' + path + '" "' +
6306 cover + '" > "' + thumb_dir +
6307 '/temp" 2>/dev/null', "r").close()
8736 os.popen(
8737 self.rar + ' x "' + src_path + '" "' + dst_path + '"')
9171 os.popen(self.jpegtran + ' -copy all -trim ' + operation +
9172 ' -outfile "' + self.file[self.file_number] + '" "' +
9173 self.file[self.file_number] + '"')
This all bombs out when faced with file or directory names that contain
the double quote character (") or a backslash.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages comix depends on:
ii gconf2 2.20.1-2 GNOME configuration database syste
ii python 2.4.4-6 An interactive high-level object-o
ii python-gtk2 2.12.1-1 Python bindings for the GTK+ widge
ii python-imaging 1.1.6-1 Python Imaging Library
comix recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>: Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to hhaamu@gmail.com:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#462840: comix: insufficient escaping on shell calls for
rar archives/jpegtran
Date: Sun, 27 Jan 2008 21:57:55 +0200
Same issue for /usr/bin/comicthumb:
141 rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines()
152 os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"'
153 % (rar, compressed_file, subarchive, depth), "r")
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>: Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>: Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
rename 462840 comix: CVE-2008-1568 arbitrary code execution via crafted file name
thanks
Hi,
CVE-2008-1568 was assigned to this:
Name: CVE-2008-1568
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1568
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840
comix 3.6.4 allows attackers to execute arbitrary commands via a
filename containing shell metacharacters that are not properly
sanitized when executing the rar, unrar, or jpegtran programs.
Please mention the CVE id in your changelog if you fix the bug and contact
the upstream author.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>: Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Source: comix
Source-Version: 3.6.4-1.1
We believe that the bug you reported is fixed in the latest version of
comix, which is due to be installed in the Debian FTP archive:
comix_3.6.4-1.1.diff.gz
to pool/main/c/comix/comix_3.6.4-1.1.diff.gz
comix_3.6.4-1.1.dsc
to pool/main/c/comix/comix_3.6.4-1.1.dsc
comix_3.6.4-1.1_all.deb
to pool/main/c/comix/comix_3.6.4-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 462840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated comix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 03 Apr 2008 00:49:49 +0200
Source: comix
Binary: comix
Architecture: source all
Version: 3.6.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Emfox Zhou <emfox@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
comix - GTK Comic Book Viewer
Closes: 462836462840
Changes:
comix (3.6.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply patch by Mamoru Tasaka to fix arbitrary code execution
via crafted file names because of passing the filename directly
to string concatenation used in os.popen (CVE-2008-1568; Closes: #462840).
* Apply patch by Mamoru Tasaka to use empfile.mkdtemp() to enable comix
for multi-user environments and thus prevent a race condition in /tmp
without a real security impact (Closes: #462836).
Files:
11ee87c5ad9489dca3ac82bbae0cf04a 592 x11 optional comix_3.6.4-1.1.dsc
b010db6b861426875a7340f21a6b4e5f 6609 x11 optional comix_3.6.4-1.1.diff.gz
51f84955be80522baee2f1cc196e5fce 234988 x11 optional comix_3.6.4-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH9A9LHYflSXNkfP8RAnz/AJ98wpCSszQluevknlL04PVap8ac+QCdEIvT
uXM17oGJWWnTAsB4KjC86oQ=
=82HO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 May 2008 09:47:30 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.