CVE-2017-1000083

Priority
Medium
Description
backend/comics/comics-document.c (aka the comic book backend) in GNOME
Evince before 3.24.1 allows remote attackers to execute arbitrary commands
via a .cbt file that is a TAR archive containing a filename beginning with
a "--" command-line option substring, as demonstrated by a
--checkpoint-action=exec=bash at the beginning of the filename.
Ubuntu-Description
Felix Wilhelm discovered that Evince did not safely invoke tar when
handling tar comic book (cbt) files. An attacker could use this to
construct a malicious comic book format file that, when opened in
Evince, executes arbitrary code.
References
Bugs
Notes
 sbeattie> upstream evince in git has switched to using libarchive
 sbeattie> The fix for this issue disables CBT support, as tar offers to
  many opportunities to invoke commands and CBT is a rarely used comic
  book format.
Package
Upstream:released (3.24.1)
Ubuntu 17.10 (Artful Aardvark):not-affected (3.24.1-0ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (3.10.3-0ubuntu10.3)
Ubuntu 16.04 LTS (Xenial Xerus):released (3.18.2-1ubuntu4.1)
Ubuntu 17.04 (Zesty Zapus):released (3.24.0-0ubuntu1.1)
Package
Source: atril (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
More Information

Updated: 2017-10-23 12:28:34 UTC (commit 13562)