Arch Linux Security Advisory ASA-201707-14

Severity: Critical
Date : 2017-07-14
CVE-ID : CVE-2017-1000083
Package : evince
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-348

Summary

The package evince before version 3.24.0+12+g717df38f-1 is vulnerable
to arbitrary command execution.

Resolution

Upgrade to 3.24.0+12+g717df38f-1.

pacman -Syu “evince>=3.24.0+12+g717df38f-1”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

The comic book backend in evince <= 3.24.0 is vulnerable to a command
injection bug that can be used to execute arbitrary commands when a cbt
file is opened.
CBT files are simple tar archives containing images. When a cbt file is
processed, evince calls “tar -xOf $archive $filename” for every image
file in the archive. While both the archive name and the filename are
quoted to not be interpreted by the shell, the filename is completely
attacker controlled an can start with “–” which leads to tar
interpreting it as a command line flag. This can be exploited by
creating a tar archive with an embedded file named something like this:
“–checkpoint-action=exec=bash -c ‘touch ~/covfefe.evince;’.jpg”
This can presumably be triggered by the evince thumbnailer, which is
not sandboxed, and web browsers that allow untrusted websites to auto-
downloading files without user interaction (Chrome, Epiphany) can
trigger the thumbnailer to run so this is web exposed.

Impact

A remote attacker can execute arbitrary command on the affected host by
convincing the user to download a crafted CBT file.

References

https://bugzilla.gnome.org/show_bug.cgi?id=784630
https://git.gnome.org/browse/evince/commit/?h=gnome-3-24&id=717df38fd8509bf883b70d680c9b1b3cf36732ee
https://security.archlinux.org/CVE-2017-1000083