#9515: evince-3.24.1
-------------------------+-----------------------
Reporter: bdubbs@… | Owner: ken@…
Type: enhancement | Status: assigned
Priority: high | Milestone: 8.1
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Changes (by ken@…):
* owner: blfs-book@… => ken@…
* priority: normal => high
* status: new => assigned
Comment:
Bug fixes:
* Remove support for tar and tar-like commands in commics backend
(CVE-2017-1000083, #784630, Bastien Nocera)
* Improve performance of the links sidebar (#779614, Benjamin
Berg)
* Improve performance of scrolling in thumbnails sidebar (#691448,
Nelson BenÃtez León)
* Don't copy remote files before thumbnailing (#780351, Bastien
Nocera)
* Fix toggling layers that are not in the current visible range of
pages (#780139, Georges Dupéron)
* Fix ev_page_accessible_get_range_for_boundary() to ensure the
start and end offsets it returns are within the allowed range
(#777992, Jason Crain)
* Fix crash with Orca screen reader (#777992, Jason Crain)
Like (I guess) most people, I thought that the vulnerability was obscure
(I've never seen any of these comics .cbt files). But the description from
the Arch advisory implies that for people using e.g. chrome (I suppose
that means chromium) or epiphany could be susceptible:
[quote]The comic book backend in evince <= 3.24.0 is vulnerable to a
command
injection bug that can be used to execute arbitrary commands when a cbt
file is opened.
CBT files are simple tar archives containing images. When a cbt file is
processed, evince calls "tar -xOf $archive $filename" for every image
file in the archive. While both the archive name and the filename are
quoted to not be interpreted by the shell, the filename is completely
attacker controlled an can start with "--" which leads to tar
interpreting it as a command line flag. This can be exploited by
creating a tar archive with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
This can presumably be triggered by the evince thumbnailer, which is
not sandboxed, and web browsers that allow untrusted websites to auto-
downloading files without user interaction (Chrome, Epiphany) can
trigger the thumbnailer to run so this is web exposed."
[endquote]
The fix appears to use libarchive to unarchive cbt files.
The vulnerability also applies to earlier versions - ubuntu produced fixes
for their older versions a few days ago which disable CBT support.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9515#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
