Multiple security issues were reported to Debian BTS affecting comix package: Insecure temporary file usage: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838 comix and comicthumb use temporary directories with predictable name. However, it only seems to be possible to redirect creation of /tmp/comix/ directory via symlinks, so that numbered per-session subdirectories are not created in /tmp but in some other user-writable directory. As /tmp/comix/ directory is created with permissions based on user's umask, it's probably not writable to other random unprivileged users. By itself, this probably only has limited impact. However, usage of fixed temporary directory /tmp/comix/ seems bit unlucky, as this prevents multiple users on the same machine from running comix at the same time. Any malicious user can block other users from using comix by creating /tmp/comix/ directory. Command executions via improper shell escaping: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840 comix and comicthumb use popen to execute rar and jpegtran external commands. Files used as command arguments with specially crafted file names can be used to executed arbitrary command. Additionally, comix seems to use python's tarfile module to extract tar archives. This module has known directory traversal issues (CVE-2007-4559), which were never fixed upstream. Tar archive with malicious content can be used to overwrite arbitrary file writable by user running comix.
From upstream: Hi Mamoru, thank you for the bug reports. All problems should now be fixed in the SVN repository for the upcoming Comix 4.0. I gave up some time ago to try and fix things in Comix 3.X, and instead put all efforts toward finishing Comix 4 instead, which is a complete re-write of the code. Not all features are implemented for Comix 4.0 yet, but hopefully it will not be too long until it is released. Regards, Pontus
Command execution vulnerability got CVE id CVE-2008-1568: comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs.
Umm... - For rar/unrar-ing archives, comix seems to search the filename with all double quotation or backslash removed so it simply fails - Seems to same for jpegtran Can you confirm that this is "really" security vulnerable?
Simple example was provided by Nico Golde here: http://www.openwall.com/lists/oss-security/2008/03/31/1 So you can reproduce by renaming any valid rar archive to something like this: test";echo owned>bla;".rar and trying to open it in comix.
Correction to my initial comment on insecure temporary directories, based on further investigation performed by Nico Golde: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838#15 There are two possibilities where attacker can possibly race against comix - creation of /tmp/comix directory and creation of /tmp/comix/<num> directory. In either case, if an attacker manages to create directory or symlink with proper name after os.path.exists check, comix will exit with 'File exists' error on os.makedirs / os.mkdir. This can be considered as DoS on victim, but there's lot easier way to achieve that - plain mkdir /tmp/comix; chmod 700 /tmp/comix performed by an attacker is sufficient. Possibility of symlink attack exists if user running comix has insecure umask settings. An attacker may prepare comix directory, which will be re-used by victim comix session to create <num> subdirectory with permissions only influenced by umask and not chmod-ed after (in load_file(), prior to calling extract_archive()). Additionally, if attacker can guess file names in archive to be extracted in comix by victim user and archiver that follows symlinks is used, arbitrary victim's file can be overwritten with data from archive.
CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}.
tmpdir issue should be fixed in comix-3.6.4-5.fc{7,8,9} (In reply to comment #6) > CVE-2008-1568 part should be fixed by comix-3.6.4-4.fc{7,8,9}. I am not sure how /usr/bin/comicthumb is used.. Anyway I replaced os.popen() to subprocess.Popen() although currently I have no way to check if my fix is correct. For tarfile.open() issue, for now I won't fix.
comix-3.6.4-5.fc7 has been submitted as an update for Fedora 7
comix-3.6.4-5.fc8 has been submitted as an update for Fedora 8
comix-3.6.4-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
comix-3.6.4-6.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Closing.
Mitre has assigned CVE id CVE-2008-1796 to the "DoS other users via temporary directory" issue: CVE-2008-1796: Comix 3.6.4 creates temporary directories with predictable names, which allows local users to cause an unspecified denial of service.
Just a info: On 2008-07-07 upstream released 3.6.5 with all my patches applied: http://comix.sourceforge.net/changelog.html