oss-sec mailing list archives

Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 14 Jul 2017 23:50:03 +0200

Hi,

When I saw this and the proposed fix (the backport fix, not the one in
git head), which was to remove tar support, but leave the command line
calling of all the other tools looked suspicious to me.

I played around a while, I haven't been able to find any more command
injections. However I discussed this with Tobias Müller and he found
out that another evince backend - the dvi one - also calls a shell
command with insufficient escaping:
https://bugzilla.gnome.org/show_bug.cgi?id=784947

While I didn't find any more command injections, I figured out that
with a password protected zip file as a cbz one can cause evince to
hang:
https://bugzilla.gnome.org/show_bug.cgi?id=784963

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Johannes Segitz (Jul 13)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Hanno Böck (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Brandon Perry (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Seth Arnold (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Marcus Meissner (Sep 04)