This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 430635 - (CVE-2008-1568) CVE-2008-1568 comix: Command executions via improper shell escaping
CVE-2008-1568 comix: Command executions via improper shell escaping
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=debian,reported=20080128,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-29 04:05 EST by Tomas Hoger
Modified: 2008-07-10 09:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-09 01:45:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-01-29 04:05:46 EST
Multiple security issues were reported to Debian BTS affecting comix package:

Insecure temporary file usage:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838

comix and comicthumb use temporary directories with predictable name.  However,
it only seems to be possible to redirect creation of /tmp/comix/ directory via
symlinks, so that numbered per-session subdirectories are not created in /tmp
but in some other user-writable directory.  As /tmp/comix/ directory is created
with permissions based on user's umask, it's probably not writable to other
random unprivileged users.  By itself, this probably only has limited impact.

However, usage of fixed temporary directory /tmp/comix/ seems bit unlucky, as
this prevents multiple users on the same machine from running comix at the same
time.  Any malicious user can block other users from using comix by creating
/tmp/comix/ directory.


Command executions via improper shell escaping:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840

comix and comicthumb use popen to execute rar and jpegtran external commands. 
Files used as command arguments with specially crafted file names can be used to
executed arbitrary command.


Additionally, comix seems to use python's tarfile module to extract tar
archives.  This module has known directory traversal issues (CVE-2007-4559),
which were never fixed upstream.  Tar archive with malicious content can be used
to overwrite arbitrary file writable by user running comix.
Comment 1 Mamoru TASAKA 2008-01-29 08:38:30 EST
From upstream:
Hi Mamoru,

thank you for the bug reports. All problems should now be fixed in the
SVN repository for the upcoming Comix 4.0.

I gave up some time ago to try and fix things in Comix 3.X, and instead
put all efforts toward finishing Comix 4 instead, which is a complete
re-write of the code. Not all features are implemented for Comix 4.0
yet, but hopefully it will not be too long until it is released.


Regards,
Pontus
Comment 2 Tomas Hoger 2008-04-01 02:53:14 EDT
Command execution vulnerability got CVE id CVE-2008-1568:

comix 3.6.4 allows attackers to execute arbitrary commands via a
filename containing shell metacharacters that are not properly
sanitized when executing the rar, unrar, or jpegtran programs.
Comment 3 Mamoru TASAKA 2008-04-01 14:51:10 EDT
Umm... 
- For rar/unrar-ing archives, comix seems to search the filename
  with all double quotation or backslash removed so it simply
  fails
- Seems to same for jpegtran

Can you confirm that this is "really" security vulnerable?
Comment 4 Tomas Hoger 2008-04-02 03:22:12 EDT
Simple example was provided by Nico Golde here:

  http://www.openwall.com/lists/oss-security/2008/03/31/1

So you can reproduce by renaming any valid rar archive to something like this:

  test";echo owned>bla;".rar

and trying to open it in comix.
Comment 5 Tomas Hoger 2008-04-02 07:38:23 EDT
Correction to my initial comment on insecure temporary directories, based on
further investigation performed by Nico Golde:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838#15

There are two possibilities where attacker can possibly race against comix -
creation of /tmp/comix directory and creation of /tmp/comix/<num> directory.  In
either case, if an attacker manages to create directory or symlink with proper
name after os.path.exists check, comix will exit with 'File exists' error on
os.makedirs / os.mkdir.  This can be considered as DoS on victim, but there's
lot easier way to achieve that - plain mkdir /tmp/comix; chmod 700 /tmp/comix
performed by an attacker is sufficient.

Possibility of symlink attack exists if user running comix has insecure umask
settings.  An attacker may prepare comix directory, which will be re-used by
victim comix session to create <num> subdirectory with permissions only
influenced by umask and not chmod-ed after (in load_file(), prior to calling
extract_archive()).  Additionally, if attacker can guess file names in archive
to be extracted in comix by victim user and archiver that follows symlinks is
used, arbitrary victim's file can be overwritten with data from archive.
Comment 6 Mamoru TASAKA 2008-04-02 08:44:07 EDT
CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}.
Comment 7 Mamoru TASAKA 2008-04-02 10:50:37 EDT
tmpdir issue should be fixed in comix-3.6.4-5.fc{7,8,9}

(In reply to comment #6)
> CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}.
I am not sure how /usr/bin/comicthumb is used..
Anyway I replaced os.popen() to subprocess.Popen() although
currently I have no way to check if my fix is correct.

For tarfile.open() issue, for now I won't fix.
Comment 8 Fedora Update System 2008-04-02 11:03:35 EDT
comix-3.6.4-5.fc7 has been submitted as an update for Fedora 7
Comment 9 Fedora Update System 2008-04-02 11:04:47 EDT
comix-3.6.4-5.fc8 has been submitted as an update for Fedora 8
Comment 10 Fedora Update System 2008-04-09 01:18:46 EDT
comix-3.6.4-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-04-09 01:19:29 EDT
comix-3.6.4-6.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Mamoru TASAKA 2008-04-09 01:45:37 EDT
Closing.
Comment 13 Tomas Hoger 2008-04-16 03:32:06 EDT
Mitre has assigned CVE id CVE-2008-1796 to the "DoS other users via temporary
directory" issue:

CVE-2008-1796:
Comix 3.6.4 creates temporary directories with predictable names,
which allows local users to cause an unspecified denial of service.
Comment 14 Mamoru TASAKA 2008-07-10 09:54:43 EDT
Just a info:
On 2008-07-07 upstream released 3.6.5 with all my patches applied:
http://comix.sourceforge.net/changelog.html

Note You need to log in before you can comment on or make changes to this bug.