REDHAT-BUG-1468488: Command Injection
First published: Fri Jul 07 2017(Updated: )
Created <span class=""><a href="attachment.cgi?id=1295228&action=diff" name="attach_1295228" title="0001-comics-Remove-support-for-tar-and-tar-like-commands.patch">attachment 1295228</a> <a href="attachment.cgi?id=1295228&action=edit" title="0001-comics-Remove-support-for-tar-and-tar-like-commands.patch">[details]</a></span> 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch From the folks at Project Zero: """ Hi, The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened: cbt files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive: // backend/comics/comics-document.c: 914 command_line = g_strdup_printf ("%s %s %s", comics_document->extract_command, quoted_archive, quoted_filename); While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named [...] Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to this issue. Best, Felix """ All current versions of evince in Fedora and RHEL are vulnerable. The attached patch will be applied to all versions of Fedora except Fedora 26 and rawhide for which we will use a backport of the comics archive handling rework (<a href="https://bugzilla.gnome.org/show_bug.cgi?id=720742">https://bugzilla.gnome.org/show_bug.cgi?id=720742</a>).
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Evince | <3.24.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1295228&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1295228&action=edit
- https://bugzilla.gnome.org/show_bug.cgi?id=720742
- https://github.com/mate-desktop/atril/blob/master/backend/comics/comics-document.c#L110
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1470661
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1468488#c10
- https://access.redhat.com/errata/RHSA-2017:2388
- https://bugzilla.redhat.com/show_bug.cgi?id=1468488
Frequently Asked Questions
What is the severity of REDHAT-BUG-1468488?
The severity of REDHAT-BUG-1468488 is considered moderate, impacting usability while not compromising system security.
How do I fix REDHAT-BUG-1468488?
To fix REDHAT-BUG-1468488, you need to update GNOME Evince to a version later than 3.24.0.
What software is affected by REDHAT-BUG-1468488?
REDHAT-BUG-1468488 specifically affects GNOME Evince version 3.24.0 and earlier.
What is the nature of the vulnerability in REDHAT-BUG-1468488?
The vulnerability in REDHAT-BUG-1468488 is related to the removal of support for certain tar and tar-like commands in GNOME Evince.
Who reported REDHAT-BUG-1468488?
The bug REDHAT-BUG-1468488 was reported by contributors within the GNOME community.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-1000083
- agent/source
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gnome
- canonical/evince