[manjaro-security] [arch-security] [ASA-201707-14] evince: arbitrary command execution
rgacogne at archlinux.org
Fri Jul 14 21:02:04 CEST 2017
Arch Linux Security Advisory ASA-201707-14
Date : 2017-07-14
CVE-ID : CVE-2017-1000083
Package : evince
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-348
The package evince before version 3.24.0+12+g717df38f-1 is vulnerable
to arbitrary command execution.
Upgrade to 3.24.0+12+g717df38f-1.
# pacman -Syu "evince>=3.24.0+12+g717df38f-1"
The problem has been fixed upstream but no release is available yet.
The comic book backend in evince <= 3.24.0 is vulnerable to a command
injection bug that can be used to execute arbitrary commands when a cbt
file is opened.
CBT files are simple tar archives containing images. When a cbt file is
processed, evince calls "tar -xOf $archive $filename" for every image
file in the archive. While both the archive name and the filename are
quoted to not be interpreted by the shell, the filename is completely
attacker controlled an can start with "--" which leads to tar
interpreting it as a command line flag. This can be exploited by
creating a tar archive with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
This can presumably be triggered by the evince thumbnailer, which is
not sandboxed, and web browsers that allow untrusted websites to auto-
downloading files without user interaction (Chrome, Epiphany) can
trigger the thumbnailer to run so this is web exposed.
A remote attacker can execute arbitrary command on the affected host by
convincing the user to download a crafted CBT file.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security