Bug 1468488 (CVE-2017-1000083)
Summary: | CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Bastien Nocera <bnocera> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | caolanm, cbuissar, feborges, mcatanzaro+wrong-account-do-not-cc, mkasik, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: |
It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-03 08:28:10 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1469528, 1469529, 1470661 | ||||||
Bug Blocks: | 1469101 | ||||||
Attachments: |
|
Description
Bastien Nocera
2017-07-07 08:54:56 UTC
I have the repos ready to commit for f24, f25, f26, rawhide, as well as rhel-7.4. rhel-7.3 is also vulnerable, and I don't know how you want that one handled. RHEL 6.x is not vulnerable as the CBT feature did not exist (added in evince 2.29.3). There is no CVE filed or assigned, and no attempts have been made to contact other distributions. Acknowledgments: Name: Felix Wilhelm (Google Security Team) The problem exists in the upstream evince since: commit d68a91467efab8ef8a8f98589dd4c21b993b6e14 Author: Juanjo MarĂn <juanj.marin> Date: Fri Dec 11 14:40:43 2009 +0100 [comics] Add support for cbt files Fixes bgo#588266. Which was in the tarball for evince 2.29.4. atril, the evince fork from the MATE desktop is vulnerable from the day it forked from evince, and still is today: https://github.com/mate-desktop/atril/blob/master/backend/comics/comics-document.c#L110 Adding Michael Catanzaro from the GNOME security and release teams to the CC:. Mitigation: - Disabling evince-thumbnailer to render icons will reduce the attack surface (removing /usr/share/thumbnailers/evince.thumbnailer). - SELinux in enforcing mode partially restricts evince-thumbnailer Created evince tracking bugs for this issue: Affects: fedora-all [bug 1470661] (In reply to Cedric Buissart from comment #10) > Created evince tracking bugs for this issue: > > Affects: fedora-all [bug 1470661] FWIW, this was created too late, and all the Fedora updates reference this bug instead. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2388 https://access.redhat.com/errata/RHSA-2017:2388 |