Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 223657 (CVE-2008-2575)

Summary: app-misc/cbrpager < 0.9.17 filename command execution (CVE-2008-2575)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maintainer-needed
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-26 08:48:58 UTC
Tomas Hoger writes ( https://bugzilla.redhat.com/show_bug.cgi?id=448285 ):
Mamoru Tasaka discovered, that cbrpager (Simple comic book pager for Linux) does
not properly sanitize file names of the image archives before calling external
decompression utilities unrar and unzip using system() libc library call. 
Opening a .zip or .rar archive with specially crafted filename can result in an
execution of the arbitrary code with the privileges of the user running cbrpager.

Sample file name:
  test";echo owned>bla;".rar
(same as for similar issue in comix -
https://bugzilla.redhat.com/show_bug.cgi?id=430635#c4)

Mamoru's patch accepted by upstream:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2

Fixed upstream in version 0.9.17:
http://sourceforge.net/forum/forum.php?forum_id=827120
http://www.jcoppens.com/soft/cbrpager/log.en.php
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-26 08:49:20 UTC
As noted in the Bugzilla, there's an update to the patch:
http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.17-zip-filen-escape.patch?rev=1.1
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-26 19:59:20 UTC
0.9.17 is in CVS, including the patch from comment #1.

Arches, please test and mark stable:
=app-misc/cbrpager-0.9.17
Target keywords : "amd64 release x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-27 16:38:38 UTC
x86 stable
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-05-28 16:20:41 UTC
amd64 stable. All archs stable.

Fixed in release snapshot.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-28 17:48:36 UTC
GLSA request filed.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-16 20:46:46 UTC
GLSA 200806-05