Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624876 - <app-text/evince-3.22.1-r1: Command injection vulnerability in CBT handler
Summary: <app-text/evince-3.22.1-r1: Command injection vulnerability in CBT handler
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard: B3 [noglsa cve]
Keywords:
: 629954 (view as bug list)
Depends on:
Blocks: CVE-2017-1000083
  Show dependency tree
 
Reported: 2017-07-13 14:41 UTC by David
Modified: 2017-10-08 21:04 UTC (History)
4 users (show)

See Also:
Package list:
app-text/evince-3.22.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David 2017-07-13 14:41:39 UTC
Evince 3.22.x, and newer versions are affected by a security hole with CBT backend.

Upstream have decided to remove this backend to plug the security hole.

See the following patch for Envice 3.22: https://git.gnome.org/browse/evince/commit/?h=gnome-3-22&id=fa072dbbfd964e85b4a54f8e34751cf62c77d0ea

Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 15:07:21 UTC
comics: Remove support for tar and tar-like commands gnome-3-22
When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.

This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.

Discovered by Felix Wilhelm from the Google Security Team.

https://bugzilla.gnome.org/show_bug.cgi?id=784630
Comment 2 Mart Raudsepp gentoo-dev 2017-07-13 16:32:10 UTC
Tar compressed comics filetype support is removed (.cbt), but not compressed support of this backend is still there (.cbr), that is, CBT isn't a backend, it's the tarred variant of the comics backend. Newer versions will go via libarchive instead to not mess with untar manually, but it wasn't made to work safely in older versions, so indeed, compressed comics won't be working after this with evince until the new libarchive using version is there - I assume it's not so widespread that they didn't bother.

Upstream also says:

Please note that MATE's "atril" (a fork of an older version of evince)
is also vulnerable:
https://github.com/mate-desktop/atril/issues/257

Not sure if to handle that in a separate bug. CCing mate@ here for starters.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 16:56:20 UTC
(In reply to Mart Raudsepp from comment #2)


> Upstream also says:
> 
> Please note that MATE's "atril" (a fork of an older version of evince)
> is also vulnerable:
> https://github.com/mate-desktop/atril/issues/257
> 
> Not sure if to handle that in a separate bug. CCing mate@ here for starters.

Thanks, opened separate bug report as bug 624880
Comment 4 Mart Raudsepp gentoo-dev 2017-07-13 17:45:16 UTC
commit 25ad9706a5046f3b3373762ba457772daa3af80d
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Thu Jul 13 20:42:47 2017 +0300

    app-text/evince: remove support for tar-like compressed comics files (CBT) for security
    
    The support for tar compressed comics files will come back in a future version via
    libarchive. Until then this is disabled due to security issue CVE-2017-1000083.
    Other comics formats should still work.
    
    Gentoo-bug: 624876
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 09:59:17 UTC
Stable on alpha.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 10:05:37 UTC
(In reply to Tobias Klausmann from comment #5)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 7 Thomas Deutschmann gentoo-dev 2017-08-18 23:30:19 UTC
x86 stable
Comment 8 D'juan McDonald (domhnall) 2017-09-05 12:23:30 UTC
*** Bug 629954 has been marked as a duplicate of this bug. ***
Comment 9 D'juan McDonald (domhnall) 2017-09-05 13:01:33 UTC
*** Bug 629954 has been marked as a duplicate of this bug. ***
Comment 10 Mart Raudsepp gentoo-dev 2017-09-25 16:21:00 UTC
It looks like I failed to eautoreconf and as such a part of the patch doesn't get effective (the configure.ac part). This results in an evince backend describing .desktop-style file still having the compressed MIME types in it. But I think it should be fine, as the actual code that badly deals with the uncompressing is still gone successfully.
Otherwise cleanup done
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 21:04:21 UTC
GLSA Vote: No