oss-sec mailing list archives
Re: CVE id request: comix
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 31 Mar 2008 17:44:40 -0400 (EDT)
On Mon, 31 Mar 2008, Nico Golde wrote:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840 I confirmed this using comix\"\;echo\ owned\>bla\;ls\ \" as a simple reroducer.
Use CVE-2008-1568 What about the comicthumb in Message #10 - if that's part of comix, I'd MERGE with CVE-2008-1568. - Steve ====================================================== Name: CVE-2008-1568 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1568 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840 comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs.
Current thread:
- CVE id request: comix Nico Golde (Mar 31)
- Re: CVE id request: comix Steven M. Christey (Mar 31)