Your submission was sent successfully! Close

CVE-2017-1000083

Published: 13 July 2017

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

From the Ubuntu security team

Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious comic book format file that, when opened in Evince, executes arbitrary code.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
atril
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.18.1-1)
precise Does not exist

trusty Does not exist

upstream
Released (1.18.0-1)
xenial
Released (1.12.2-1ubuntu0.2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
evince
Launchpad, Ubuntu, Debian
artful Not vulnerable
(3.24.1-0ubuntu1)
precise Does not exist

trusty Does not exist
(trusty was released [3.10.3-0ubuntu10.3])
upstream
Released (3.24.1)
xenial
Released (3.18.2-1ubuntu4.1)
yakkety
Released (3.22.0-0ubuntu1.1)
zesty
Released (3.24.0-0ubuntu1.1)

Notes

AuthorNote
sbeattie
upstream evince in git has switched to using libarchive
The fix for this issue disables CBT support, as tar offers to
many opportunities to invoke commands and CBT is a rarely used comic
book format.

References