Bug#462840: marked as done (comix: insufficient escaping on shell calls for rar archives/jpegtran)

Wed, 02 Apr 2008 16:34:59 -0700 

Your message dated Wed, 02 Apr 2008 23:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#462840: fixed in comix 3.6.4-1.1
has caused the Debian Bug report #462840,
regarding comix: insufficient escaping on shell calls for rar archives/jpegtran
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
462840: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: comix
Version: 3.6.4-1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

Comix uses insufficient shell escaping when calling external programs
(rar/unrar, jpegtran)


 6280                         files = \
 6281                             os.popen(self.rar + ' vb "' + path +
 6282                                 '"').readlines()


 6305                             os.popen(self.rar + ' p -inul -- "' + path +  
     '" "' +
 6306                                 cover + '" > "' + thumb_dir +
 6307                                 '/temp" 2>/dev/null', "r").close()


 8736                     os.popen(
 8737                         self.rar + ' x "' + src_path + '" "' + dst_path + 
      '"')


 9171         os.popen(self.jpegtran + ' -copy all -trim ' + operation +
 9172             ' -outfile "' + self.file[self.file_number] + '" "' +
 9173             self.file[self.file_number] + '"')

This all bombs out when faced with file or directory names that contain
the double quote character (") or a backslash.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages comix depends on:
ii  gconf2                        2.20.1-2   GNOME configuration database syste
ii  python                        2.4.4-6    An interactive high-level object-o
ii  python-gtk2                   2.12.1-1   Python bindings for the GTK+ widge
ii  python-imaging                1.1.6-1    Python Imaging Library

comix recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: comix
Source-Version: 3.6.4-1.1

We believe that the bug you reported is fixed in the latest version of
comix, which is due to be installed in the Debian FTP archive:

comix_3.6.4-1.1.diff.gz
  to pool/main/c/comix/comix_3.6.4-1.1.diff.gz
comix_3.6.4-1.1.dsc
  to pool/main/c/comix/comix_3.6.4-1.1.dsc
comix_3.6.4-1.1_all.deb
  to pool/main/c/comix/comix_3.6.4-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated comix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 03 Apr 2008 00:49:49 +0200
Source: comix
Binary: comix
Architecture: source all
Version: 3.6.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Emfox Zhou <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 comix      - GTK Comic Book Viewer
Closes: 462836 462840
Changes: 
 comix (3.6.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply patch by Mamoru Tasaka to fix arbitrary code execution
     via crafted file names because of passing the filename directly
     to string concatenation used in os.popen (CVE-2008-1568; Closes: #462840).
   * Apply patch by Mamoru Tasaka to use empfile.mkdtemp() to enable comix
     for multi-user environments and thus prevent a race condition in /tmp
     without a real security impact (Closes: #462836).
Files: 
 11ee87c5ad9489dca3ac82bbae0cf04a 592 x11 optional comix_3.6.4-1.1.dsc
 b010db6b861426875a7340f21a6b4e5f 6609 x11 optional comix_3.6.4-1.1.diff.gz
 51f84955be80522baee2f1cc196e5fce 234988 x11 optional comix_3.6.4-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH9A9LHYflSXNkfP8RAnz/AJ98wpCSszQluevknlL04PVap8ac+QCdEIvT
uXM17oGJWWnTAsB4KjC86oQ=
=82HO
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to