Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-1000083

Published: 13 July 2017

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

From the Ubuntu Security Team

Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious comic book format file that, when opened in Evince, executes arbitrary code.

Notes

AuthorNote
sbeattie
upstream evince in git has switched to using libarchive
The fix for this issue disables CBT support, as tar offers to
many opportunities to invoke commands and CBT is a rarely used comic
book format.

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
atril
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.18.1-1)
precise Does not exist

trusty Does not exist

upstream
Released (1.18.0-1)
xenial
Released (1.12.2-1ubuntu0.2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
evince
Launchpad, Ubuntu, Debian
artful Not vulnerable
(3.24.1-0ubuntu1)
precise Does not exist

trusty Does not exist
(trusty was released [3.10.3-0ubuntu10.3])
upstream
Released (3.24.1)
xenial
Released (3.18.2-1ubuntu4.1)
yakkety
Released (3.22.0-0ubuntu1.1)
zesty
Released (3.24.0-0ubuntu1.1)

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H