Bug 430635 (CVE-2008-1568)
Summary: | CVE-2008-1568 comix: Command executions via improper shell escaping | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | mtasaka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-04-09 05:45:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2008-01-29 09:05:46 UTC
From upstream: Hi Mamoru, thank you for the bug reports. All problems should now be fixed in the SVN repository for the upcoming Comix 4.0. I gave up some time ago to try and fix things in Comix 3.X, and instead put all efforts toward finishing Comix 4 instead, which is a complete re-write of the code. Not all features are implemented for Comix 4.0 yet, but hopefully it will not be too long until it is released. Regards, Pontus Command execution vulnerability got CVE id CVE-2008-1568: comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs. Umm... - For rar/unrar-ing archives, comix seems to search the filename with all double quotation or backslash removed so it simply fails - Seems to same for jpegtran Can you confirm that this is "really" security vulnerable? Simple example was provided by Nico Golde here: http://www.openwall.com/lists/oss-security/2008/03/31/1 So you can reproduce by renaming any valid rar archive to something like this: test";echo owned>bla;".rar and trying to open it in comix. Correction to my initial comment on insecure temporary directories, based on further investigation performed by Nico Golde: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838#15 There are two possibilities where attacker can possibly race against comix - creation of /tmp/comix directory and creation of /tmp/comix/<num> directory. In either case, if an attacker manages to create directory or symlink with proper name after os.path.exists check, comix will exit with 'File exists' error on os.makedirs / os.mkdir. This can be considered as DoS on victim, but there's lot easier way to achieve that - plain mkdir /tmp/comix; chmod 700 /tmp/comix performed by an attacker is sufficient. Possibility of symlink attack exists if user running comix has insecure umask settings. An attacker may prepare comix directory, which will be re-used by victim comix session to create <num> subdirectory with permissions only influenced by umask and not chmod-ed after (in load_file(), prior to calling extract_archive()). Additionally, if attacker can guess file names in archive to be extracted in comix by victim user and archiver that follows symlinks is used, arbitrary victim's file can be overwritten with data from archive. CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}. tmpdir issue should be fixed in comix-3.6.4-5.fc{7,8,9} (In reply to comment #6) > CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}. I am not sure how /usr/bin/comicthumb is used.. Anyway I replaced os.popen() to subprocess.Popen() although currently I have no way to check if my fix is correct. For tarfile.open() issue, for now I won't fix. comix-3.6.4-5.fc7 has been submitted as an update for Fedora 7 comix-3.6.4-5.fc8 has been submitted as an update for Fedora 8 comix-3.6.4-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. comix-3.6.4-6.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Closing. Mitre has assigned CVE id CVE-2008-1796 to the "DoS other users via temporary directory" issue: CVE-2008-1796: Comix 3.6.4 creates temporary directories with predictable names, which allows local users to cause an unspecified denial of service. Just a info: On 2008-07-07 upstream released 3.6.5 with all my patches applied: http://comix.sourceforge.net/changelog.html |