CVE-2017-1000159 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000159): Command injection in evince via filename when printing to PDF. This affects versions earlier than 3.25.91.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63261207cee6515e48676d60757afd9655a49ad6 commit 63261207cee6515e48676d60757afd9655a49ad6 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-04-14 19:15:50 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-04-14 19:16:04 +0000 app-text/evince: Fix CVE-2017-1000159 Bug: https://bugs.gentoo.org/650272 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-text/evince/evince-3.24.2-r1.ebuild | 102 +++++++++++++++++++++ .../evince/files/3.24.2-CVE-2017-1000159.patch | 42 +++++++++ 2 files changed, 144 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9a7713bf19a87b5fc57d6c63d7a45b4e95fadaa commit b9a7713bf19a87b5fc57d6c63d7a45b4e95fadaa Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-15 03:59:46 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-15 04:03:13 +0000 app-text/evince: amd64 stable Bug: https://bugs.gentoo.org/650272 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-text/evince/evince-3.24.2-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
cleanup done
GLSA request filed.
This issue was resolved and addressed in GLSA 201804-15 at https://security.gentoo.org/glsa/201804-15 by GLSA coordinator Aaron Bauman (b-man).