Tomas Hoger writes ( https://bugzilla.redhat.com/show_bug.cgi?id=448285 ): Mamoru Tasaka discovered, that cbrpager (Simple comic book pager for Linux) does not properly sanitize file names of the image archives before calling external decompression utilities unrar and unzip using system() libc library call. Opening a .zip or .rar archive with specially crafted filename can result in an execution of the arbitrary code with the privileges of the user running cbrpager. Sample file name: test";echo owned>bla;".rar (same as for similar issue in comix - https://bugzilla.redhat.com/show_bug.cgi?id=430635#c4) Mamoru's patch accepted by upstream: http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2 Fixed upstream in version 0.9.17: http://sourceforge.net/forum/forum.php?forum_id=827120 http://www.jcoppens.com/soft/cbrpager/log.en.php
As noted in the Bugzilla, there's an update to the patch: http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.17-zip-filen-escape.patch?rev=1.1
0.9.17 is in CVS, including the patch from comment #1. Arches, please test and mark stable: =app-misc/cbrpager-0.9.17 Target keywords : "amd64 release x86"
x86 stable
amd64 stable. All archs stable. Fixed in release snapshot.
GLSA request filed.
GLSA 200806-05
