commit: 63261207cee6515e48676d60757afd9655a49ad6 Author: Mart Raudsepp <leio <AT> gentoo <DOT> org> AuthorDate: Sat Apr 14 19:15:50 2018 +0000 Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org> CommitDate: Sat Apr 14 19:16:04 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63261207
app-text/evince: Fix CVE-2017-1000159 Bug: https://bugs.gentoo.org/650272 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-text/evince/evince-3.24.2-r1.ebuild | 102 +++++++++++++++++++++ .../evince/files/3.24.2-CVE-2017-1000159.patch | 42 +++++++++ 2 files changed, 144 insertions(+) diff --git a/app-text/evince/evince-3.24.2-r1.ebuild b/app-text/evince/evince-3.24.2-r1.ebuild new file mode 100644 index 00000000000..5377658d1a8 --- /dev/null +++ b/app-text/evince/evince-3.24.2-r1.ebuild @@ -0,0 +1,102 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +GNOME2_LA_PUNT="yes" + +inherit gnome2 systemd + +DESCRIPTION="Simple document viewer for GNOME" +HOMEPAGE="https://wiki.gnome.org/Apps/Evince"; + +LICENSE="GPL-2+ CC-BY-SA-3.0" +# subslot = evd3.(suffix of libevdocument3)-evv3.(suffix of libevview3) +SLOT="0/evd3.4-evv3.3" +IUSE="djvu dvi gstreamer gnome gnome-keyring +introspection nautilus nsplugin +postscript t1lib tiff xps" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x64-solaris" + +# atk used in libview +# gdk-pixbuf used all over the place +COMMON_DEPEND=" + dev-libs/atk + >=dev-libs/glib-2.36:2[dbus] + >=dev-libs/libxml2-2.5:2 + sys-libs/zlib:= + x11-libs/gdk-pixbuf:2 + >=x11-libs/gtk+-3.16.0:3[introspection?] + gnome-base/gsettings-desktop-schemas + >=x11-libs/cairo-1.10:= + >=app-text/poppler-0.33[cairo] + djvu? ( >=app-text/djvu-3.5.22:= ) + dvi? ( + virtual/tex-base + dev-libs/kpathsea:= + t1lib? ( >=media-libs/t1lib-5:= ) ) + gstreamer? ( + media-libs/gstreamer:1.0 + media-libs/gst-plugins-base:1.0 + media-libs/gst-plugins-good:1.0 ) + gnome? ( gnome-base/gnome-desktop:3= ) + gnome-keyring? ( >=app-crypt/libsecret-0.5 ) + introspection? ( >=dev-libs/gobject-introspection-1:= ) + nautilus? ( >=gnome-base/nautilus-2.91.4[introspection?] ) + postscript? ( >=app-text/libspectre-0.2:= ) + tiff? ( >=media-libs/tiff-3.6:0= ) + xps? ( >=app-text/libgxps-0.2.1:= ) +" +RDEPEND="${COMMON_DEPEND} + gnome-base/gvfs + gnome-base/librsvg + || ( + >=x11-themes/adwaita-icon-theme-2.17.1 + >=x11-themes/hicolor-icon-theme-0.10 ) +" +DEPEND="${COMMON_DEPEND} + app-text/docbook-xml-dtd:4.3 + app-text/yelp-tools + dev-util/gdbus-codegen + >=dev-util/gtk-doc-am-1.13 + >=dev-util/intltool-0.35 + dev-util/itstool + sys-devel/gettext + virtual/pkgconfig +" +# eautoreconf needs: +# app-text/yelp-tools + +PATCHES=( + "${FILESDIR}"/${PV}-CVE-2017-1000159.patch +) + +src_prepare() { + gnome2_src_prepare + + # Do not depend on adwaita-icon-theme, bug #326855, #391859 + # https://bugs.freedesktop.org/show_bug.cgi?id=29942 + sed -e 's/adwaita-icon-theme >= $ADWAITA_ICON_THEME_REQUIRED//g' \ + -i configure || die "sed failed" +} + +src_configure() { + gnome2_src_configure \ + --disable-static \ + --enable-pdf \ + --enable-comics \ + --enable-thumbnailer \ + --with-platform=gnome \ + --enable-dbus \ + $(use_enable djvu) \ + $(use_enable dvi) \ + $(use_enable gstreamer multimedia) \ + $(use_enable gnome libgnome-desktop) \ + $(use_with gnome-keyring keyring) \ + $(use_enable introspection) \ + $(use_enable nautilus) \ + $(use_enable nsplugin browser-plugin) \ + $(use_enable postscript ps) \ + $(use_enable t1lib) \ + $(use_enable tiff) \ + $(use_enable xps) \ + BROWSER_PLUGIN_DIR="${EPREFIX}"/usr/$(get_libdir)/nsbrowser/plugins \ + --with-systemduserunitdir="$(systemd_get_userunitdir)" +} diff --git a/app-text/evince/files/3.24.2-CVE-2017-1000159.patch b/app-text/evince/files/3.24.2-CVE-2017-1000159.patch new file mode 100644 index 00000000000..80861fdc4de --- /dev/null +++ b/app-text/evince/files/3.24.2-CVE-2017-1000159.patch @@ -0,0 +1,42 @@ +From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001 +From: Tobias Mueller <mue...@cryptobitch.de> +Date: Fri, 14 Jul 2017 12:52:14 +0200 +Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename + +With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. +It exports to PDF via the dvipdfm tool. +It calls that tool with the filename of the currently loaded document. +If that filename is cleverly crafted, it can escape the currently +used manual quoting of the filename. Instead of manually quoting the +filename, we use g_shell_quote. + +https://bugzilla.gnome.org/show_bug.cgi?id=784947 +--- + backend/dvi/dvi-document.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c +index 4a896e21..28877700 100644 +--- a/backend/dvi/dvi-document.c ++++ b/backend/dvi/dvi-document.c +@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter) + gboolean success; + + DviDocument *dvi_document = DVI_DOCUMENT(exporter); ++ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); + +- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ ++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + dvi_document->exporter_opts->str, + dvi_document->exporter_filename, +- dvi_document->context->filename); +- ++ quoted_filename); ++ g_free (quoted_filename); ++ + success = g_spawn_command_line_sync (command_line, + NULL, + NULL, +-- +2.17.0 +
