7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.142 Low
EPSS
Percentile
95.7%
Severity: Critical
Date : 2017-07-14
CVE-ID : CVE-2017-1000083
Package : evince
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-348
The package evince before version 3.24.0+12+g717df38f-1 is vulnerable
to arbitrary command execution.
Upgrade to 3.24.0+12+g717df38f-1.
The problem has been fixed upstream but no release is available yet.
None.
The comic book backend in evince <= 3.24.0 is vulnerable to a command
injection bug that can be used to execute arbitrary commands when a cbt
file is opened.
CBT files are simple tar archives containing images. When a cbt file is
processed, evince calls “tar -xOf $archive $filename” for every image
file in the archive. While both the archive name and the filename are
quoted to not be interpreted by the shell, the filename is completely
attacker controlled an can start with “–” which leads to tar
interpreting it as a command line flag. This can be exploited by
creating a tar archive with an embedded file named something like this:
“–checkpoint-action=exec=bash -c ‘touch ~/covfefe.evince;’.jpg”
This can presumably be triggered by the evince thumbnailer, which is
not sandboxed, and web browsers that allow untrusted websites to auto-
downloading files without user interaction (Chrome, Epiphany) can
trigger the thumbnailer to run so this is web exposed.
A remote attacker can execute arbitrary command on the affected host by
convincing the user to download a crafted CBT file.
https://bugzilla.gnome.org/show_bug.cgi?id=784630
https://git.gnome.org/browse/evince/commit/?h=gnome-3-24&id=717df38fd8509bf883b70d680c9b1b3cf36732ee
https://security.archlinux.org/CVE-2017-1000083
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.142 Low
EPSS
Percentile
95.7%