Debian Bug report logs -
#462840
comix: insufficient escaping on shell calls for rar archives/jpegtran
Reported by: hhaamu@gmail.com
Date: Sun, 27 Jan 2008 19:33:01 UTC
Severity: grave
Tags: security
Found in version comix/3.6.4-1
Fixed in version comix/3.6.4-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>:
Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to hhaamu@gmail.com:
New Bug report received and forwarded. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: comix
Version: 3.6.4-1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
Comix uses insufficient shell escaping when calling external programs
(rar/unrar, jpegtran)
6280 files = \
6281 os.popen(self.rar + ' vb "' + path +
6282 '"').readlines()
6305 os.popen(self.rar + ' p -inul -- "' + path + '" "' +
6306 cover + '" > "' + thumb_dir +
6307 '/temp" 2>/dev/null', "r").close()
8736 os.popen(
8737 self.rar + ' x "' + src_path + '" "' + dst_path + '"')
9171 os.popen(self.jpegtran + ' -copy all -trim ' + operation +
9172 ' -outfile "' + self.file[self.file_number] + '" "' +
9173 self.file[self.file_number] + '"')
This all bombs out when faced with file or directory names that contain
the double quote character (") or a backslash.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages comix depends on:
ii gconf2 2.20.1-2 GNOME configuration database syste
ii python 2.4.4-6 An interactive high-level object-o
ii python-gtk2 2.12.1-1 Python bindings for the GTK+ widge
ii python-imaging 1.1.6-1 Python Imaging Library
comix recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>:
Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to hhaamu@gmail.com:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Message #10 received at 462840@bugs.debian.org (full text, mbox, reply):
Same issue for /usr/bin/comicthumb:
141 rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines()
152 os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"'
153 % (rar, compressed_file, subarchive, depth), "r")
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>:
Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Message #15 received at 462840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi hhaamu,
* hhaamu@gmail.com <hhaamu@gmail.com> [2008-01-27 20:37]:
> Comix uses insufficient shell escaping when calling external programs
> (rar/unrar, jpegtran)
>
>
> 6280 files = \
> 6281 os.popen(self.rar + ' vb "' + path +
> 6282 '"').readlines()
>
>
> 6305 os.popen(self.rar + ' p -inul -- "' + path + '" "' +
> 6306 cover + '" > "' + thumb_dir +
> 6307 '/temp" 2>/dev/null', "r").close()
>
>
> 8736 os.popen(
> 8737 self.rar + ' x "' + src_path + '" "' + dst_path + '"')
>
>
> 9171 os.popen(self.jpegtran + ' -copy all -trim ' + operation +
> 9172 ' -outfile "' + self.file[self.file_number] + '" "' +
> 9173 self.file[self.file_number] + '"')
>
> This all bombs out when faced with file or directory names that contain
> the double quote character (") or a backslash.
Confirmed this issue, requesting a CVE id for this.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>:
Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Message #20 received at 462840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
rename 462840 comix: CVE-2008-1568 arbitrary code execution via crafted file name
thanks
Hi,
CVE-2008-1568 was assigned to this:
Name: CVE-2008-1568
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1568
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840
comix 3.6.4 allows attackers to execute arbitrary commands via a
filename containing shell metacharacters that are not properly
sanitized when executing the rar, unrar, or jpegtran programs.
Please mention the CVE id in your changelog if you fix the bug and contact
the upstream author.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Emfox Zhou <emfox@debian.org>:
Bug#462840; Package comix.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Emfox Zhou <emfox@debian.org>.
(full text, mbox, link).
Message #25 received at 462840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
uploading a 0-day NMU to fix this bug.
debdiff is attached and will be also archived on:
http://people.debian.org/~nion/nmu-diff/comix-3.6.4-1_3.6.4-1.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[comix-3.6.4-1_3.6.4-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to hhaamu@gmail.com:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 462840-close@bugs.debian.org (full text, mbox, reply):
Source: comix
Source-Version: 3.6.4-1.1
We believe that the bug you reported is fixed in the latest version of
comix, which is due to be installed in the Debian FTP archive:
comix_3.6.4-1.1.diff.gz
to pool/main/c/comix/comix_3.6.4-1.1.diff.gz
comix_3.6.4-1.1.dsc
to pool/main/c/comix/comix_3.6.4-1.1.dsc
comix_3.6.4-1.1_all.deb
to pool/main/c/comix/comix_3.6.4-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 462840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated comix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 03 Apr 2008 00:49:49 +0200
Source: comix
Binary: comix
Architecture: source all
Version: 3.6.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Emfox Zhou <emfox@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
comix - GTK Comic Book Viewer
Closes: 462836 462840
Changes:
comix (3.6.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply patch by Mamoru Tasaka to fix arbitrary code execution
via crafted file names because of passing the filename directly
to string concatenation used in os.popen (CVE-2008-1568; Closes: #462840).
* Apply patch by Mamoru Tasaka to use empfile.mkdtemp() to enable comix
for multi-user environments and thus prevent a race condition in /tmp
without a real security impact (Closes: #462836).
Files:
11ee87c5ad9489dca3ac82bbae0cf04a 592 x11 optional comix_3.6.4-1.1.dsc
b010db6b861426875a7340f21a6b4e5f 6609 x11 optional comix_3.6.4-1.1.diff.gz
51f84955be80522baee2f1cc196e5fce 234988 x11 optional comix_3.6.4-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH9A9LHYflSXNkfP8RAnz/AJ98wpCSszQluevknlL04PVap8ac+QCdEIvT
uXM17oGJWWnTAsB4KjC86oQ=
=82HO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 May 2008 09:47:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:06:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon