[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Mar 2008 17:44:40 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: comix
On Mon, 31 Mar 2008, Nico Golde wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840
>
> I confirmed this using comix\"\;echo\ owned\>bla\;ls\ \"
> as a simple reroducer.
Use CVE-2008-1568
What about the comicthumb in Message #10 - if that's part of comix, I'd
MERGE with CVE-2008-1568.
- Steve
======================================================
Name: CVE-2008-1568
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1568
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840
comix 3.6.4 allows attackers to execute arbitrary commands via a
filename containing shell metacharacters that are not properly
sanitized when executing the rar, unrar, or jpegtran programs.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ