Hello community, here is the log from the commit of package evince for openSUSE:Factory checked in at 2017-07-17 08:59:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/evince (Old) and /work/SRC/openSUSE:Factory/.evince.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "evince" Mon Jul 17 08:59:52 2017 rev:125 rq:510207 version:3.24.0 Changes: -------- --- /work/SRC/openSUSE:Factory/evince/evince.changes 2017-03-22 23:07:56.343683740 +0100 +++ /work/SRC/openSUSE:Factory/.evince.new/evince.changes 2017-07-17 08:59:54.083054587 +0200 @@ -1,0 +2,7 @@ +Thu Jul 13 07:55:12 UTC 2017 - adrien.pla...@suse.com + +- Add evince-comics-remove-tar-commands-support.patch to avoid code + execution in the comic book backend's .tar support. (bnc#1046856, + bgo#784630, CVE-2017-1000083). + +------------------------------------------------------------------- New: ---- evince-comics-remove-tar-commands-support.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ evince.spec ++++++ --- /var/tmp/diff_new_pack.BVpDx8/_old 2017-07-17 08:59:54.694968426 +0200 +++ /var/tmp/diff_new_pack.BVpDx8/_new 2017-07-17 08:59:54.694968426 +0200 @@ -26,12 +26,16 @@ Group: Productivity/Office/Other Url: http://www.gnome.org/projects/evince/ Source: http://download.gnome.org/sources/evince/3.24/%{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM evince-comics-remove-tar-commands-support.patch bnc#1046856 bgo#784630 CVE-2017-1000083 apla...@suse.com -- Avoid code execution in the comic book backend's .tar support. +Patch1: evince-comics-remove-tar-commands-support.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: ghostscript-fonts-std BuildRequires: ghostscript-x11 BuildRequires: intltool BuildRequires: libtiff-devel +# Needed by Patch1 +BuildRequires: libtool BuildRequires: texlive-devel %if !0%{?is_opensuse} BuildRequires: translation-update-upstream @@ -213,8 +217,11 @@ %if !0%{?is_opensuse} translation-update-upstream %endif +%patch1 -p1 %build +# Needed by Patch1 as it changes configure.ac. +autoreconf -f -i # on openSUSE, we share the browser plugins between browsers; do not use mozilla's default. export BROWSER_PLUGIN_DIR=%{_libdir}/browser-plugins %configure --disable-static --with-pic\ ++++++ evince-comics-remove-tar-commands-support.patch ++++++ >From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001 From: Bastien Nocera <had...@hadess.net> Date: Thu, 6 Jul 2017 20:02:00 +0200 Subject: [PATCH] comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team. https://bugzilla.gnome.org/show_bug.cgi?id=784630 --- backend/comics/comics-document.c | 40 +--------------------------------------- configure.ac | 2 +- 2 files changed, 2 insertions(+), 40 deletions(-) diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c index 4c747310..641d7856 100644 --- a/backend/comics/comics-document.c +++ b/backend/comics/comics-document.c @@ -56,8 +56,7 @@ typedef enum RARLABS, GNAUNRAR, UNZIP, - P7ZIP, - TAR + P7ZIP } ComicBookDecompressType; typedef struct _ComicsDocumentClass ComicsDocumentClass; @@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = { /* 7zip */ {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z}, - - /* tar */ - {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET} }; static GSList* get_supported_image_extensions (void); @@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type, comics_document->command_usage = GNAUNRAR; return TRUE; } - comics_document->selected_command = - g_find_program_in_path ("bsdtar"); - if (comics_document->selected_command) { - comics_document->command_usage = TAR; - return TRUE; - } - } else if (g_content_type_is_a (mime_type, "application/x-cbz") || g_content_type_is_a (mime_type, "application/zip")) { /* InfoZIP's unzip program */ @@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type, comics_document->command_usage = P7ZIP; return TRUE; } - comics_document->selected_command = - g_find_program_in_path ("bsdtar"); - if (comics_document->selected_command) { - comics_document->command_usage = TAR; - return TRUE; - } } else if (g_content_type_is_a (mime_type, "application/x-cb7") || g_content_type_is_a (mime_type, "application/x-7z-compressed")) { @@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type, comics_document->command_usage = P7ZIP; return TRUE; } - comics_document->selected_command = - g_find_program_in_path ("bsdtar"); - if (comics_document->selected_command) { - comics_document->command_usage = TAR; - return TRUE; - } - } else if (g_content_type_is_a (mime_type, "application/x-cbt") || - g_content_type_is_a (mime_type, "application/x-tar")) { - /* tar utility (Tape ARchive) */ - comics_document->selected_command = - g_find_program_in_path ("tar"); - if (comics_document->selected_command) { - comics_document->command_usage = TAR; - return TRUE; - } - comics_document->selected_command = - g_find_program_in_path ("bsdtar"); - if (comics_document->selected_command) { - comics_document->command_usage = TAR; - return TRUE; - } } else { g_set_error (error, EV_DOCUMENT_ERROR, diff --git a/configure.ac b/configure.ac index 9e9f8316..7eb0f1f3 100644 --- a/configure.ac +++ b/configure.ac @@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES) AC_SUBST(APPDATA_TIFF_MIME_TYPES) AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES) if test "x$enable_comics" = "xyes"; then - COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt" + COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;" APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g') if test -z "$EVINCE_MIME_TYPES"; then EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}" -- 2.13.0