Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 215694 (CVE-2008-1568) - media-gfx/comix <3.6.4-r1 Input filename command execution, file overwrite (CVE-2008-1568, CVE-2008-1796)
Summary: media-gfx/comix <3.6.4-r1 Input filename command execution, file overwrite (C...
Status: RESOLVED FIXED
Alias: CVE-2008-1568
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-01 13:03 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-25 21:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 13:03:13 UTC
CVE-2008-1568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1568):
  comix 3.6.4 allows attackers to execute arbitrary commands via a filename
  containing shell metacharacters that are not properly sanitized when
  executing the rar, unrar, or jpegtran programs.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 13:22:56 UTC
See also here for an upstream comment:
https://bugzilla.redhat.com/show_bug.cgi?id=430635#c1

Quoting Tomas Hoger:
Additionally, comix seems to use python's tarfile module to extract tar
archives.  This module has known directory traversal issues (CVE-2007-4559),
which were never fixed upstream.  Tar archive with malicious content can be used
to overwrite arbitrary file writable by user running comix.
Comment 2 Markus Meier gentoo-dev 2008-04-02 20:17:26 UTC
I grabbed two patches from fedora ( http://cvs.fedora.redhat.com/viewcvs/rpms/comix/F-8/ ) and added media-gfx/comix-3.6.4-r1 to the tree. This will hopefully fix this problem.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-04 02:18:15 UTC
looks good, thank you.

Arches, please test and mark stable:
=media-gfx/comix-3.6.4-r1
Target keywords : "amd64 ppc release x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-04-04 07:13:39 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2008-04-06 13:48:35 UTC
amd64 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-06 20:21:14 UTC
ppc stable
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2008-04-07 16:28:23 UTC
Fixed in release snapshot.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-04-10 14:29:45 UTC
GLSA request filed.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 22:54:19 UTC
CVE-2008-1796 has been assigned to the tempfile issue, which was fixed with the other patch.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-25 21:13:33 UTC
GLSA 200804-29