Commit 02e685d0 authored by Sören Tempel's avatar Sören Tempel

community/evince: security fix for CVE-2017-1000083

parent 69bf70aa
From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 6 Jul 2017 20:02:00 +0200
Subject: [PATCH] comics: Remove support for tar and tar-like commands
When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.
But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.
This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.
This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.
Discovered by Felix Wilhelm from the Google Security Team.
https://bugzilla.gnome.org/show_bug.cgi?id=784630
---
backend/comics/comics-document.c | 40 +---------------------------------------
configure.ac | 2 +-
2 files changed, 2 insertions(+), 40 deletions(-)
diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c
index 4c747310..641d7856 100644
--- a/backend/comics/comics-document.c
+++ b/backend/comics/comics-document.c
@@ -56,8 +56,7 @@ typedef enum
RARLABS,
GNAUNRAR,
UNZIP,
- P7ZIP,
- TAR
+ P7ZIP
} ComicBookDecompressType;
typedef struct _ComicsDocumentClass ComicsDocumentClass;
@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = {
/* 7zip */
{NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
-
- /* tar */
- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET}
};
static GSList* get_supported_image_extensions (void);
@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type,
comics_document->command_usage = GNAUNRAR;
return TRUE;
}
- comics_document->selected_command =
- g_find_program_in_path ("bsdtar");
- if (comics_document->selected_command) {
- comics_document->command_usage = TAR;
- return TRUE;
- }
-
} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
g_content_type_is_a (mime_type, "application/zip")) {
/* InfoZIP's unzip program */
@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type,
comics_document->command_usage = P7ZIP;
return TRUE;
}
- comics_document->selected_command =
- g_find_program_in_path ("bsdtar");
- if (comics_document->selected_command) {
- comics_document->command_usage = TAR;
- return TRUE;
- }
} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type,
comics_document->command_usage = P7ZIP;
return TRUE;
}
- comics_document->selected_command =
- g_find_program_in_path ("bsdtar");
- if (comics_document->selected_command) {
- comics_document->command_usage = TAR;
- return TRUE;
- }
- } else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
- g_content_type_is_a (mime_type, "application/x-tar")) {
- /* tar utility (Tape ARchive) */
- comics_document->selected_command =
- g_find_program_in_path ("tar");
- if (comics_document->selected_command) {
- comics_document->command_usage = TAR;
- return TRUE;
- }
- comics_document->selected_command =
- g_find_program_in_path ("bsdtar");
- if (comics_document->selected_command) {
- comics_document->command_usage = TAR;
- return TRUE;
- }
} else {
g_set_error (error,
EV_DOCUMENT_ERROR,
diff --git a/configure.ac b/configure.ac
index 9e9f8316..7eb0f1f3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
AC_SUBST(APPDATA_TIFF_MIME_TYPES)
AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
if test "x$enable_comics" = "xyes"; then
- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
+ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g')
if test -z "$EVINCE_MIME_TYPES"; then
EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
--
2.13.2
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=evince
pkgver=3.24.0
pkgrel=1
pkgrel=2
pkgdesc="simple document viewer for GTK+"
url="http://projects.gnome.org/evince/"
arch="all"
......@@ -12,12 +13,23 @@ depends_dev="gtk+3.0-dev poppler-dev libsm-dev libevent-dev libxrandr-dev
libx11-dev libxcursor-dev libxcomposite-dev libxi-dev util-linux-dev
tiff-dev gobject-introspection-dev libxml2-dev"
makedepends="$depends_dev intltool itstool gnome-doc-utils
adwaita-icon-theme-dev"
adwaita-icon-theme-dev gnome-common automake autoconf
gtk-doc yelp-tools"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz"
source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz
0001-comics-Remove-support-for-tar-and-tar-like-commands.patch"
builddir="${srcdir}/${pkgname}-${pkgver}"
# secfixes:
# 3.24.0-r2:
# - CVE-2017-1000083
prepare() {
default_prepare
cd "$builddir"
NOCONFIGURE=1 ./autogen.sh
}
build() {
cd "$builddir"
./configure \
......@@ -50,5 +62,5 @@ doc() {
fi
}
sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4 evince-3.24.0.tar.xz"
sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4 evince-3.24.0.tar.xz
26251ad90271612ee3fadf0c7a7719fdca6ed1b74f2600751eaba97916d2b44969955a9ad9994f1c97cb79757d3d4f7f76354ce3b04b1340d91598a773fbb130 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment