First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 223657
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 223657 depends on: Show dependency tree
Bug 223657 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-05-26 08:48 0000 
Tomas Hoger writes ( https://bugzilla.redhat.com/show_bug.cgi?id=448285 ):
Mamoru Tasaka discovered, that cbrpager (Simple comic book pager for Linux)
does
not properly sanitize file names of the image archives before calling external
decompression utilities unrar and unzip using system() libc library call. 
Opening a .zip or .rar archive with specially crafted filename can result in an
execution of the arbitrary code with the privileges of the user running
cbrpager.

Sample file name:
  test";echo owned>bla;".rar
(same as for similar issue in comix -
https://bugzilla.redhat.com/show_bug.cgi?id=430635#c4)

Mamoru's patch accepted by upstream:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2

Fixed upstream in version 0.9.17:
http://sourceforge.net/forum/forum.php?forum_id=827120
http://www.jcoppens.com/soft/cbrpager/log.en.php

------- Comment #1 From Robert Buchholz 2008-05-26 08:49:20 0000 ------- 
As noted in the Bugzilla, there's an update to the patch:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.17-zip-filen-escape.patch?rev=1.1

------- Comment #2 From Tobias Heinlein 2008-05-26 19:59:20 0000 ------- 
0.9.17 is in CVS, including the patch from comment #1.

Arches, please test and mark stable:
=app-misc/cbrpager-0.9.17
Target keywords : "amd64 release x86"

------- Comment #3 From Christian Faulhammer 2008-05-27 16:38:38 0000 ------- 
x86 stable

------- Comment #4 From Peter Volkov 2008-05-28 16:20:41 0000 ------- 
amd64 stable. All archs stable.

Fixed in release snapshot.

------- Comment #5 From Tobias Heinlein 2008-05-28 17:48:36 0000 ------- 
GLSA request filed.

------- Comment #6 From Pierre-Yves Rofes 2008-06-16 20:46:46 0000 ------- 
GLSA 200806-05
First Last Prev Next    No search results available      Search page      Enter new bug