Mamoru Tasaka discovered, that cbrpager (Simple comic book pager for Linux) does not properly sanitize file names of the image archives before calling external decompression utilities unrar and unzip using system() libc library call. Opening a .zip or .rar archive with specially crafted filename can result in an execution of the arbitrary code with the privileges of the user running cbrpager. Sample file name: test";echo owned>bla;".rar (same as for similar issue in comix - https://bugzilla.redhat.com/show_bug.cgi?id=430635#c4) Mamoru's patch accepted by upstream: http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2 Fixed upstream in version 0.9.17: http://sourceforge.net/forum/forum.php?forum_id=827120 http://www.jcoppens.com/soft/cbrpager/log.en.php
Non-security issue is found on 0.9.17-1.fc{10-7}, so updating to 0.9.17-2.fc{10-7} and editting updates requests.
cbrpager-0.9.17-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
cbrpager-0.9.17-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
cbrpager-0.9.17-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Upstream released 0.9.18. With this version the following patch is applied http://cvs.fedoraproject.org/viewcvs/*checkout*/rpms/cbrpager/devel/cbrpager-0.9.17-zip-filen-escape.patch?hideattic=0&rev=1.1 cbrpager-0.9.18-1.fc{9,8,7} are now in request queue to stable on bodhi
CVE id CVE-2008-2575 was assigned to this issue: cbrPager before 0.9.17 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a (1) ZIP (aka .cbz) or (2) RAR (aka .cbr) archive filename.
Fixed for all current Fedora versions via: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-4440 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4528 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4501