CVE-2017-1000083

Published: 13 July 2017

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

From the Ubuntu security team

Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious comic book format file that, when opened in Evince, executes arbitrary code.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
atril
Launchpad, Ubuntu, Debian
Upstream
Released (1.18.0-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.12.2-1ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

evince
Launchpad, Ubuntu, Debian
Upstream
Released (3.24.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.18.2-1ubuntu4.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [3.10.3-0ubuntu10.3])

Notes

AuthorNote
sbeattie
upstream evince in git has switched to using libarchive
The fix for this issue disables CBT support, as tar offers to
many opportunities to invoke commands and CBT is a rarely used comic
book format.

References

Bugs