Skip to content

Commit 717df38

Browse files
committed
comics: Remove support for tar and tar-like commands
When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team. https://bugzilla.gnome.org/show_bug.cgi?id=784630
1 parent 8b24be3 commit 717df38

File tree

2 files changed

+2
-40
lines changed

2 files changed

+2
-40
lines changed

Diff for: backend/comics/comics-document.c

+1-39
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,7 @@ typedef enum
5656
RARLABS,
5757
GNAUNRAR,
5858
UNZIP,
59-
P7ZIP,
60-
TAR
59+
P7ZIP
6160
} ComicBookDecompressType;
6261

6362
typedef struct _ComicsDocumentClass ComicsDocumentClass;
@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = {
117116

118117
/* 7zip */
119118
{NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
120-
121-
/* tar */
122-
{"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET}
123119
};
124120

125121
static GSList* get_supported_image_extensions (void);
@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type,
364360
comics_document->command_usage = GNAUNRAR;
365361
return TRUE;
366362
}
367-
comics_document->selected_command =
368-
g_find_program_in_path ("bsdtar");
369-
if (comics_document->selected_command) {
370-
comics_document->command_usage = TAR;
371-
return TRUE;
372-
}
373-
374363
} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
375364
g_content_type_is_a (mime_type, "application/zip")) {
376365
/* InfoZIP's unzip program */
@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type,
396385
comics_document->command_usage = P7ZIP;
397386
return TRUE;
398387
}
399-
comics_document->selected_command =
400-
g_find_program_in_path ("bsdtar");
401-
if (comics_document->selected_command) {
402-
comics_document->command_usage = TAR;
403-
return TRUE;
404-
}
405388

406389
} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
407390
g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type,
425408
comics_document->command_usage = P7ZIP;
426409
return TRUE;
427410
}
428-
comics_document->selected_command =
429-
g_find_program_in_path ("bsdtar");
430-
if (comics_document->selected_command) {
431-
comics_document->command_usage = TAR;
432-
return TRUE;
433-
}
434-
} else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
435-
g_content_type_is_a (mime_type, "application/x-tar")) {
436-
/* tar utility (Tape ARchive) */
437-
comics_document->selected_command =
438-
g_find_program_in_path ("tar");
439-
if (comics_document->selected_command) {
440-
comics_document->command_usage = TAR;
441-
return TRUE;
442-
}
443-
comics_document->selected_command =
444-
g_find_program_in_path ("bsdtar");
445-
if (comics_document->selected_command) {
446-
comics_document->command_usage = TAR;
447-
return TRUE;
448-
}
449411
} else {
450412
g_set_error (error,
451413
EV_DOCUMENT_ERROR,

Diff for: configure.ac

+1-1
Original file line numberDiff line numberDiff line change
@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
795795
AC_SUBST(APPDATA_TIFF_MIME_TYPES)
796796
AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
797797
if test "x$enable_comics" = "xyes"; then
798-
COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
798+
COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
799799
APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g')
800800
if test -z "$EVINCE_MIME_TYPES"; then
801801
EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"

0 commit comments

Comments
 (0)