| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Fedora alert FEDORA-2008-2993 (comix)
| From: | updates@fedoraproject.org | |
| To: | fedora-package-announce@redhat.com | |
| Subject: | [SECURITY] Fedora 7 Update: comix-3.6.4-6.fc7 | |
| Date: | Wed, 09 Apr 2008 05:20:51 +0000 | |
| Message-ID: | <200804090529.m395TSoI000696@bastion.fedora.phx.redhat.com> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-2993 2008-04-08 23:46:17 -------------------------------------------------------------------------------- Name : comix Product : Fedora 7 Version : 3.6.4 Release : 6.fc7 URL : http://comix.sourceforge.net/ Summary : A user-friendly, customizable image viewer Description : Comix is a user-friendly, customizable image viewer. It is specifically designed to handle comic books, but also serves as a generic viewer. It reads images in ZIP, RAR or tar archives (also gzip or bzip2 compressed) as well as plain image files. It is written in Python and uses GTK+ through the PyGTK bindings. -------------------------------------------------------------------------------- Update Information: Several security flaws are reported against comix 3.6.4. One issue is that comix uses os.popen() to execute external commands without handling filenames properly. This may allow malicios users to execute arbitrary commands by opening some files with crafted names. This issue is now identified as CVE-2008-1568. Another issue is that comix creates a directory under /tmp with the name easily predictable by any users. This will cause DOS attach for multiuser system. This new package will fix these issues. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 3 2008 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-6 - Second patch for bug 430635 Use tempfile.mkdtemp() for multiple user race condition * Wed Apr 2 2008 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-4 - First patch for bug 430635 Replace os.popen() with subprocess.Popen() to handle hostile filename properly (CVE-2008-1568) * Wed Dec 5 2007 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-3 - Fix icon path in desktop file for desktop-file-utils 0.14+ * Mon Aug 20 2007 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-2 - Now %_sysconfdir/gconf{,/schemas} are owned by GConf2 (#233756) * Fri Aug 3 2007 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-1.dist.1 - License update * Mon May 28 2007 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 3.6.4-1 - 3.6.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #430635 - comix: multiple issues (CVE-2008-1568) https://bugzilla.redhat.com/show_bug.cgi?id=430635 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update comix' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)