Bug 2260373 (CVE-2023-52076) - CVE-2023-52076 atril: Path traversal in Atril can lead to arbitrary file write and possible arbitrary code execution
Summary: CVE-2023-52076 atril: Path traversal in Atril can lead to arbitrary file writ...
Keywords:
Status: NEW
Alias: CVE-2023-52076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2260374 2260375
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-01-25 18:37 UTC by Marco Benatto
Modified: 2024-01-25 18:38 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marco Benatto 2024-01-25 18:37:59 UTC 
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.

https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
https://github.com/mate-desktop/atril/releases/tag/v1.26.2
https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
Comment 1 Marco Benatto 2024-01-25 18:38:16 UTC 
Created atril tracking bugs for this issue:

Affects: epel-all [bug 2260375]
Affects: fedora-all [bug 2260374]
Note You need to log in before you can comment on or make changes to this bug.