223657 – (CVE-2008-2575) app-misc/cbrpager < 0.9.17 filename command execution (CVE-2008-2575)

Bug 223657 (CVE-2008-2575) - app-misc/cbrpager < 0.9.17 filename command execution (CVE-2008-2575)

Summary: app-misc/cbrpager < 0.9.17 filename command execution (CVE-2008-2575)

Status:	RESOLVED FIXED

Alias:	CVE-2008-2575

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-05-26 08:48 UTC by Robert Buchholz (RETIRED)
Modified:	2008-06-16 20:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-05-26 08:48:58 UTC

Tomas Hoger writes ( https://bugzilla.redhat.com/show_bug.cgi?id=448285 ):
Mamoru Tasaka discovered, that cbrpager (Simple comic book pager for Linux) does
not properly sanitize file names of the image archives before calling external
decompression utilities unrar and unzip using system() libc library call. 
Opening a .zip or .rar archive with specially crafted filename can result in an
execution of the arbitrary code with the privileges of the user running cbrpager.

Sample file name:
  test";echo owned>bla;".rar
(same as for similar issue in comix -
https://bugzilla.redhat.com/show_bug.cgi?id=430635#c4)

Mamoru's patch accepted by upstream:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2

Fixed upstream in version 0.9.17:
http://sourceforge.net/forum/forum.php?forum_id=827120
http://www.jcoppens.com/soft/cbrpager/log.en.php

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-05-26 08:49:20 UTC

As noted in the Bugzilla, there's an update to the patch:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.17-zip-filen-escape.patch?rev=1.1

Comment 2 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-26 19:59:20 UTC

0.9.17 is in CVS, including the patch from comment #1.

Arches, please test and mark stable:
=app-misc/cbrpager-0.9.17
Target keywords : "amd64 release x86"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-27 16:38:38 UTC

x86 stable

Comment 4 Peter Volkov (RETIRED) gentoo-dev

2008-05-28 16:20:41 UTC

amd64 stable. All archs stable.

Fixed in release snapshot.

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-28 17:48:36 UTC

GLSA request filed.

Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-06-16 20:46:46 UTC

GLSA 200806-05