Bug 1468488 - (CVE-2017-1000083) CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive
CVE-2017-1000083 evince: command injection via filename in tar-compressed com...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170713,repo...
: Security
Depends On: 1469529 1469528 1470661
Blocks: 1469101
  Show dependency treegraph
 
Reported: 2017-07-07 04:54 EDT by Bastien Nocera
Modified: 2017-08-03 04:28 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-03 04:28:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
0001-comics-Remove-support-for-tar-and-tar-like-commands.patch (5.13 KB, patch)
2017-07-07 04:54 EDT, Bastien Nocera
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 784630 None None None 2017-07-07 04:55 EDT

  None (edit)
Description Bastien Nocera 2017-07-07 04:54:56 EDT
Created attachment 1295228 [details]
0001-comics-Remove-support-for-tar-and-tar-like-commands.patch

From the folks at Project Zero:

"""
Hi,

The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened:

cbt files are simple tar archives containing images. When a cbt file is processed, evince calls 
"tar -xOf $archive $filename" for every image file in the archive:

// backend/comics/comics-document.c: 914
        command_line = g_strdup_printf ("%s %s %s",
                                        comics_document->extract_command,
                                        quoted_archive,
                                        quoted_filename);

While both the archive name and the filename are quoted to not be interpreted by the shell,
the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it
as a command line flag. 

This can be exploited by creating a tar archive with an embedded file named
[...]

Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to this issue.

Best,
Felix
"""

All current versions of evince in Fedora and RHEL are vulnerable.

The attached patch will be applied to all versions of Fedora except Fedora 26 and rawhide for which we will use a backport of the comics archive handling rework (https://bugzilla.gnome.org/show_bug.cgi?id=720742).
Comment 1 Bastien Nocera 2017-07-07 09:49:15 EDT
I have the repos ready to commit for f24, f25, f26, rawhide, as well as rhel-7.4. rhel-7.3 is also vulnerable, and I don't know how you want that one handled.

RHEL 6.x is not vulnerable as the CBT feature did not exist (added in evince 2.29.3).
Comment 2 Bastien Nocera 2017-07-10 07:59:59 EDT
There is no CVE filed or assigned, and no attempts have been made to contact other distributions.
Comment 3 Cedric Buissart 2017-07-10 08:43:12 EDT
Acknowledgments:

Name: Felix Wilhelm (Google Security Team)
Comment 4 Bastien Nocera 2017-07-10 10:36:36 EDT
The problem exists in the upstream evince since:
commit d68a91467efab8ef8a8f98589dd4c21b993b6e14
Author: Juanjo Marín <juanj.marin@juntadeandalucia.es>
Date:   Fri Dec 11 14:40:43 2009 +0100

    [comics] Add support for cbt files
    
    Fixes bgo#588266.

Which was in the tarball for evince 2.29.4.

atril, the evince fork from the MATE desktop is vulnerable from the day it forked from evince, and still is today:
https://github.com/mate-desktop/atril/blob/master/backend/comics/comics-document.c#L110

Adding Michael Catanzaro from the GNOME security and release teams to the CC:.
Comment 8 Cedric Buissart 2017-07-12 10:50:12 EDT
Mitigation:

- Disabling evince-thumbnailer to render icons will reduce the attack surface (removing /usr/share/thumbnailers/evince.thumbnailer).
- SELinux  in enforcing mode partially restricts evince-thumbnailer
Comment 10 Cedric Buissart 2017-07-13 08:15:04 EDT
Created evince tracking bugs for this issue:

Affects: fedora-all [bug 1470661]
Comment 11 Bastien Nocera 2017-07-13 09:23:31 EDT
(In reply to Cedric Buissart from comment #10)
> Created evince tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1470661]

FWIW, this was created too late, and all the Fedora updates reference this bug instead.
Comment 13 errata-xmlrpc 2017-08-01 19:48:01 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2388 https://access.redhat.com/errata/RHSA-2017:2388

Note You need to log in before you can comment on or make changes to this bug.