Public bug reported: Command injection in Evince via filename when printing to PDF is possible. This also affects Atril, which is a fork of Evince.
Here's the patch in Atril: https://github.com/mate- desktop/atril/commit/4650fb05e46e144be986a11a666a47add39b3799 ** Affects: atril (Ubuntu) Importance: Medium Status: Fix Released ** Affects: atril (Ubuntu Xenial) Importance: Medium Assignee: Simon Quigley (tsimonq2) Status: In Progress ** Affects: atril (Ubuntu Artful) Importance: Medium Assignee: Simon Quigley (tsimonq2) Status: In Progress ** Also affects: atril (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: atril (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: atril (Ubuntu Xenial) Status: New => In Progress ** Changed in: atril (Ubuntu Artful) Status: New => In Progress ** Changed in: atril (Ubuntu) Importance: Undecided => Medium ** Changed in: atril (Ubuntu) Status: New => Fix Released ** Changed in: atril (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: atril (Ubuntu Artful) Importance: Undecided => Medium ** Changed in: atril (Ubuntu Xenial) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: atril (Ubuntu Artful) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000159 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1759069 Title: [CVE] Arbitrary command injection via DVI filename injection when printing to PDF To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1759069/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
