Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#9515 closed defect (fixed)

evince-3.24.1

Reported by: bdubbs@… Owned by: ken@…
Priority: high Milestone: 8.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (8)

comment:1 by ken@…, 7 years ago

Owner: changed from blfs-book@… to ken@…
Priority: normalhigh
Status: newassigned

Bug fixes:

  • Remove support for tar and tar-like commands in commics backend (CVE-2017-1000083, #784630, Bastien Nocera)
  • Improve performance of the links sidebar (#779614, Benjamin Berg)
  • Improve performance of scrolling in thumbnails sidebar (#691448, Nelson Benítez León)
  • Don't copy remote files before thumbnailing (#780351, Bastien Nocera)
  • Fix toggling layers that are not in the current visible range of pages (#780139, Georges Dupéron)
  • Fix ev_page_accessible_get_range_for_boundary() to ensure the start and end offsets it returns are within the allowed range (#777992, Jason Crain)
  • Fix crash with Orca screen reader (#777992, Jason Crain)

Like (I guess) most people, I thought that the vulnerability was obscure (I've never seen any of these comics .cbt files). But the description from the Arch advisory implies that for people using e.g. chrome (I suppose that means chromium) or epiphany could be susceptible:

[quote]The comic book backend in evince <= 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened.

CBT files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive. While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg" This can presumably be triggered by the evince thumbnailer, which is not sandboxed, and web browsers that allow untrusted websites to auto- downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run so this is web exposed." [endquote]

The fix appears to use libarchive to unarchive cbt files.

The vulnerability also applies to earlier versions - ubuntu produced fixes for their older versions a few days ago which disable CBT support.

comment:2 by ken@…, 7 years ago

In fact, upstream have released 3.22.2, 3.20.2 to fix this in those series, it's only people using older versions that will need patches.

comment:3 by ken@…, 7 years ago

Stalled, for the moment I cannot build nautilus which we (correctly) recommend - for my own systems I work around that in configure, but it would be better to match the book.

comment:4 by ken@…, 7 years ago

Back in business, using autoconf-archive to get ax_require_defined.m4 for nautilus.

in reply to:  1 comment:5 by ken@…, 7 years ago

Replying to ken@…:

The fix appears to use libarchive to unarchive cbt files.

I was mistaken - cbt files are no-longer supported, only cbz, cb7.

comment:6 by ken@…, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed, r18954.

in reply to:  4 comment:7 by ken@…, 7 years ago

Replying to ken@…:

Back in business, using autoconf-archive to get ax_require_defined.m4 for nautilus.

And Wayne spotted that was only referenced because I'd run autoreconf : at some point we needed that for a patch, I had neglected to remove it.

comment:8 by ken@…, 7 years ago

Type: enhancementdefect

Belatedly changing to defect.

Note: See TracTickets for help on using tickets.