[CVE] Command injection with cbt files

Bug #1735418 reported by Simon Quigley
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
atril (Ubuntu)
Fix Released
Medium
Simon Quigley
Xenial
Fix Released
Medium
Simon Quigley
Artful
Fix Released
Medium
Simon Quigley
Bionic
Fix Released
Medium
Simon Quigley

Bug Description

backend/comics/comics-document.c (aka the comic book backend) in GNOME
Evince before 3.24.1 allows remote attackers to execute arbitrary commands
via a .cbt file that is a TAR archive containing a filename beginning with
a "--" command-line option substring, as demonstrated by a
--checkpoint-action=exec=bash at the beginning of the filename.

CVE References

Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Xenial):
status: New → Confirmed
Changed in atril (Ubuntu Zesty):
status: New → Confirmed
Changed in atril (Ubuntu Artful):
status: New → Confirmed
Changed in atril (Ubuntu Bionic):
status: New → Confirmed
Changed in atril (Ubuntu Xenial):
importance: Undecided → Medium
Changed in atril (Ubuntu Zesty):
importance: Undecided → Medium
Changed in atril (Ubuntu Artful):
importance: Undecided → Medium
Changed in atril (Ubuntu Bionic):
importance: Undecided → Medium
Changed in atril (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Bionic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in atril (Ubuntu Artful):
status: Confirmed → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Zesty is EOL.

Changed in atril (Ubuntu Zesty):
status: Confirmed → Won't Fix
assignee: Simon Quigley (tsimonq2) → nobody
Simon Quigley (tsimonq2)
no longer affects: atril (Ubuntu Zesty)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I have uploaded this fix to a fresh test PPA of mine with all architectures enabled and only the security repo enabled. I then tested this in a Ubuntu MATE Xenial VM, and it works as intended with the POC given on GitHub.

Security Team, feel free to copy my upload to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8864340/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor this to go into Ubuntu.

Thanks.

Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Xenial):
status: Confirmed → In Progress
Revision history for this message
Steve Beattie (sbeattie) wrote :

Simon, thank you for preparing this update. I'll sponsor it as-is, but honestly, I think evince's solution to drop support for cbt files entirely (given their infrequent use as a comic-ebook format), rather than try to blacklist all possible bad tar options, is the more appropriate action to take.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package atril - 1.12.2-1ubuntu0.2

---------------
atril (1.12.2-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Command injection with cbt files (LP: #1735418).
    - fix-CVE-2017-1000083.patch
    - CVE-2017-1000083

 -- Simon Quigley <email address hidden> Sun, 18 Mar 2018 23:41:35 -0500

Changed in atril (Ubuntu Xenial):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers