*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Alex Murray (alexmurray):
.cbt forged file can be used to inject command line when opening it with
atril. Since atril is sometimes the default PDF viewer for nautilus .cbt
thumbnails, this command line can be executed even if the file is not
actively opened by the user. See attachment for POC (this will open
firefox on google.com and touch a file named covfefe.evince).
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Atril version 1.12.2-1ubuntu0.3
** Affects: atril (Ubuntu)
Importance: Undecided
Status: New
--
CVE-2017-1000083 is still present on atril
https://bugs.launchpad.net/bugs/1800662
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
