Re: evince: arbitrary code execution via filename in tar-compressed comics archive (CVE-2017-1000083)





----- Original Message -----
A security issue was found by Felix Wilhelm from the Google
Security Team which allows arbitrary code execution by
manipulating the name and path of a file inside a comic book
tar archive (CBT) file.

The vulnerability was introduced in commit
d68a91467efab8ef8a8f98589dd4c21b993b6e14 in December 2009 and
is contained in all versions of evince from 2.29.4 up until 3.24.0.

It was however fixed in the current unreleased development
version by using libarchive and unarr rather than shell commands.

Patches to disable all support for tar commands are available
in GNOME's git repository in the gnome-3-20, gnome-3-22 and
gnome-3-24 stable branches. Older versions will likely be able
to apply the patches from the gnome-3-20 branch with some
additional cherry-picking.

More details are available in:
https://bugzilla.gnome.org/show_bug.cgi?id=784630

Please note that MATE's "atril" (a fork of an older version of evince)
is also vulnerable:
https://github.com/mate-desktop/atril/issues/257


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]