PublicDateAtUSN: 2017-11-27
Candidate: CVE-2017-1000159
PublicDate: 2017-11-27 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000159
 https://ubuntu.com/security/notices/USN-3503-1
Description:
 Command injection in evince via filename when printing to PDF. This affects
 versions earlier than 3.25.91.
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.gnome.org/show_bug.cgi?id=784947
 https://launchpad.net/bugs/1759069
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_evince:
 upstream: https://git.gnome.org/browse/evince/commit/?id=350404c76dc8601e2cdd2636490e2afc83d3090e
upstream_evince: released (3.25.91)
precise/esm_evince: DNE
trusty_evince: released (3.10.3-0ubuntu10.4)
trusty/esm_evince: DNE (trusty was released [3.10.3-0ubuntu10.4])
xenial_evince: released (3.18.2-1ubuntu4.3)
esm-infra/xenial_evince: released (3.18.2-1ubuntu4.3)
zesty_evince: released (3.24.0-0ubuntu1.3)
artful_evince: not-affected (3.26.0-1)
devel_evince: not-affected (3.26.0-1)

Patches_atril:
upstream_atril: needs-triage
precise/esm_atril: DNE
trusty_atril: DNE
trusty/esm_atril: DNE
xenial_atril: released (1.12.2-1ubuntu0.3)
zesty_atril: ignored (reached end-of-life)
artful_atril: released (1.18.1-1ubuntu0.1)
devel_atril: not-affected (1.20.1-0ubuntu1)