subject:"\[Bug 1735418\] Re\: \[CVE\] Command injection with cbt files"

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-03-20 Thread Launchpad Bug Tracker

This bug was fixed in the package atril - 1.12.2-1ubuntu0.2

---
atril (1.12.2-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Command injection with cbt files (LP: #1735418).
- fix-CVE-2017-183.patch
- CVE-2017-183

 -- Simon Quigley   Sun, 18 Mar 2018 23:41:35 -0500

** Changed in: atril (Ubuntu Xenial)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-03-20 Thread Steve Beattie

Simon, thank you for preparing this update. I'll sponsor it as-is, but
honestly, I think evince's solution to drop support for cbt files
entirely (given their infrequent use as a comic-ebook format), rather
than try to blacklist all possible bad tar options, is the more
appropriate action to take.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-03-19 Thread Simon Quigley

** Changed in: atril (Ubuntu Xenial)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-03-19 Thread Simon Quigley

I have uploaded this fix to a fresh test PPA of mine with all
architectures enabled and only the security repo enabled. I then tested
this in a Ubuntu MATE Xenial VM, and it works as intended with the POC
given on GitHub.

Security Team, feel free to copy my upload to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8864340/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor this to go into Ubuntu.

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-03-18 Thread Simon Quigley

** No longer affects: atril (Ubuntu Zesty)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2018-01-20 Thread Simon Quigley

Zesty is EOL.

** Changed in: atril (Ubuntu Zesty)
   Status: Confirmed => Won't Fix

** Changed in: atril (Ubuntu Zesty)
 Assignee: Simon Quigley (tsimonq2) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

2017-11-30 Thread Martin Wimpress

** Changed in: atril (Ubuntu Bionic)
   Status: Confirmed => Fix Released

** Changed in: atril (Ubuntu Artful)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

[Bug 1735418] Re: [CVE] Command injection with cbt files

7 matches

Site Navigation

Mail list logo

Footer information