Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650272 (CVE-2017-1000159) - <app-text/evince-3.24.2-r1: command injection via filename
Summary: <app-text/evince-3.24.2-r1: command injection via filename
Status: RESOLVED FIXED
Alias: CVE-2017-1000159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-12 12:42 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-17 18:23 UTC (History)
1 user (show)

See Also:
Package list:
app-text/evince-3.24.2-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-12 12:42:46 UTC 
CVE-2017-1000159 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000159):
  Command injection in evince via filename when printing to PDF. This affects
  versions earlier than 3.25.91.
Comment 1 Larry the Git Cow gentoo-dev 2018-04-14 19:16:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63261207cee6515e48676d60757afd9655a49ad6

commit 63261207cee6515e48676d60757afd9655a49ad6
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-04-14 19:15:50 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-04-14 19:16:04 +0000

    app-text/evince: Fix CVE-2017-1000159
    
    Bug: https://bugs.gentoo.org/650272
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 app-text/evince/evince-3.24.2-r1.ebuild            | 102 +++++++++++++++++++++
 .../evince/files/3.24.2-CVE-2017-1000159.patch     |  42 +++++++++
 2 files changed, 144 insertions(+)}
Comment 2 Larry the Git Cow gentoo-dev 2018-04-15 04:04:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9a7713bf19a87b5fc57d6c63d7a45b4e95fadaa

commit b9a7713bf19a87b5fc57d6c63d7a45b4e95fadaa
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-15 03:59:46 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-15 04:03:13 +0000

    app-text/evince: amd64 stable
    
    Bug: https://bugs.gentoo.org/650272
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 app-text/evince/evince-3.24.2-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-15 18:58:16 UTC 
x86 stable
Comment 4 Mart Raudsepp gentoo-dev 2018-04-17 12:55:35 UTC 
cleanup done
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-17 17:27:04 UTC 
GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-04-17 18:23:44 UTC 
This issue was resolved and addressed in
 GLSA 201804-15 at https://security.gentoo.org/glsa/201804-15
by GLSA coordinator Aaron Bauman (b-man).