[CVE] Command injection with cbt files
Bug #1735418 reported by
Simon Quigley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
atril (Ubuntu) |
Fix Released
|
Medium
|
Simon Quigley | ||
Xenial |
Fix Released
|
Medium
|
Simon Quigley | ||
Artful |
Fix Released
|
Medium
|
Simon Quigley | ||
Bionic |
Fix Released
|
Medium
|
Simon Quigley |
Bug Description
backend/
Evince before 3.24.1 allows remote attackers to execute arbitrary commands
via a .cbt file that is a TAR archive containing a filename beginning with
a "--" command-line option substring, as demonstrated by a
--checkpoint-
CVE References
Changed in atril (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in atril (Ubuntu Zesty): | |
status: | New → Confirmed |
Changed in atril (Ubuntu Artful): | |
status: | New → Confirmed |
Changed in atril (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in atril (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in atril (Ubuntu Zesty): | |
importance: | Undecided → Medium |
Changed in atril (Ubuntu Artful): | |
importance: | Undecided → Medium |
Changed in atril (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in atril (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in atril (Ubuntu Zesty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in atril (Ubuntu Artful): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in atril (Ubuntu Bionic): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in atril (Ubuntu Bionic): | |
status: | Confirmed → Fix Released |
Changed in atril (Ubuntu Artful): | |
status: | Confirmed → Fix Released |
no longer affects: | atril (Ubuntu Zesty) |
Changed in atril (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
To post a comment you must log in.
Zesty is EOL.