Bug 21239 - evince new security issue CVE-2017-1000083
Summary: evince new security issue CVE-2017-1000083
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5TOO has_procedure mga6-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-14 13:12 CEST by David Walser
Modified: 2017-08-05 21:20 CEST (History)
3 users (show)

See Also:
Source RPM: evince-3.24.0-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-07-14 13:12:11 CEST 
A security issue in evince has been announced on July 13:
http://openwall.com/lists/oss-security/2017/07/13/5
David Walser 2017-07-14 13:12:20 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-07-14 13:23:06 CEST 
Ubuntu has issued an advisory for this on July 13:
https://www.ubuntu.com/usn/usn-3351-1/

Mageia 5 is also affected.

Whiteboard: MGA6TOO => MGA6TOO, MGA5TOO

Comment 2 David Walser 2017-07-30 00:09:46 CEST 
Patched package uploaded for Mageia 5.

Updated (to 3.24.1) packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated evince packages fix security vulnerability:

Felix Wilhelm discovered that Evince did not safely invoke tar when handling
tar comic book (cbt) files. An attacker could use this to construct a malicious
cbt comic book format file that, when opened in Evince, executes arbitrary
code. Please note that this update disables support for cbt files in Evince
(CVE-2017-1000083).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000083
https://usn.ubuntu.com/usn/usn-3351-1/
========================

Updated packages in core/updates_testing:
========================
evince-3.14.2-1.1.mga5
evince-dvi-3.14.2-1.1.mga5
libevdocument3_4-3.14.2-1.1.mga5
libevview3_3-3.14.2-1.1.mga5
libevince-devel-3.14.2-1.1.mga5
libevince-gir3.0-3.14.2-1.1.mga5
evince-3.24.1-1.mga6
evince-dvi-3.24.1-1.mga6
libevdocument3_4-3.24.1-1.mga6
libevview3_3-3.24.1-1.mga6
libevince-devel-3.24.1-1.mga6
libevince-gir3.0-3.24.1-1.mga6

from SRPMS:
evince-3.14.2-1.1.mga5.src.rpm
evince-3.24.1-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: olav => qa-bugs
Version: Cauldron => 6

Comment 3 claire robinson 2017-07-30 17:16:59 CEST 
Testing complete mga6 64

Couldn't find a cbt to test it with but it seems to open cbz before and after update, which I believe is the zipped variety rather than tar'd.

Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok

claire robinson 2017-07-30 17:17:13 CEST

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO has_procedure mga6-64-ok

nathan giovannini 2017-07-30 22:04:01 CEST

CC: (none) => nathan95
Whiteboard: MGA5TOO has_procedure mga6-64-ok => MGA5TOO has_procedure mga6-64-ok mga6-32-ok

Rémi Verschelde 2017-07-31 20:04:31 CEST

Whiteboard: MGA5TOO has_procedure mga6-64-ok mga6-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok

Comment 4 Brian Rockwell 2017-08-05 14:37:04 CEST 
$ uname -a
Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux

The following 38 packages are going to be installed:

- evince-3.14.2-1.1.mga5.i586
- evince-dvi-3.14.2-1.1.mga5.i586
- libevdocument3_4-3.14.2-1.1.mga5.i586
- libevince-gir3.0-3.14.2-1.1.mga5.i586
- libevview3_3-3.14.2-1.1.mga5.i586
- libfreetype2-1.3.1-45.mga5.i586
- libkpathsea6-20130530-21.1.mga5.i586
- libptexenc1-20130530-21.1.mga5.i586
- libt1lib5-5.1.2-18.mga5.i586
- libyaml0_2-0.1.6-4.mga5.i586
- libzziplib0-0.13.62-5.1.mga5.i586
- perl-Algorithm-Diff-1.190.200-8.mga5.noarch
- perl-File-Slurp-Tiny-0.3.0-3.mga5.noarch
- perl-File-Which-1.90.0-5.mga5.noarch
- perl-Font-AFM-1.200.0-5.mga5.noarch
- perl-HTML-Form-6.30.0-5.mga5.noarch
- perl-HTML-Format-2.110.0-3.mga5.noarch
- perl-HTML-Tree-5.30.0-10.mga5.noarch
- perl-HTTP-Server-Simple-0.440.0-5.mga5.noarch
- perl-IPC-Run3-0.48.0-3.mga5.noarch
- perl-Probe-Perl-0.30.0-3.mga5.noarch
- perl-Sub-Uplevel-0.240.0-6.mga5.noarch
- perl-Test-Script-1.70.0-6.mga5.noarch
- perl-Test-Warn-0.300.0-3.mga5.i586
- perl-Tk-804.33.0-1.mga5.i586
- perl-Tree-DAG_Node-1.220.0-4.mga5.noarch
- perl-WWW-Mechanize-1.730.0-5.mga5.noarch
- perl-XML-XPath-1.130.0-6.mga5.noarch
- ruby-2.0.0.p648-1.3.mga5.i586
- ruby-irb-2.0.0.p648-1.3.mga5.noarch
- ruby-json-1.8.1-3.mga5.i586
- ruby-rdoc-4.0.1-9.mga5.noarch
- ruby-RubyGems-2.1.11-5.1.mga5.noarch
- t1lib-config-5.1.2-18.mga5.i586
- texlive-20130530-21.1.mga5.i586
- texlive-collection-basic-20130530-10.mga5.noarch
- texlive-dist-20130530-10.mga5.noarch
- texlive-texmf-20130530-10.mga5.noarch

1.1GB of additional disk space will be used.

591MB of packages will be retrieved.

-----

I created a cbt suffixed file from some pictures

tar -cf picts.cbt 10.jpg 11.jpg 16.jpg 5.jp


When I open this with evince it states it does not support TAR files.  Am I missing an extension?

I changed it to a cbz (used archive to create a compressed file of pictures in cbz format).

I was able to view with evince without any errors.

Whiteboard: advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-ok
CC: (none) => brtians1

Comment 5 Brian Rockwell 2017-08-05 18:56:31 CEST 
I installed Evince update on mga5-64.

Tested it with cbt and cbz files.  It noted cbt not supported and displayed cbz without an issue.
Brian Rockwell 2017-08-05 20:04:00 CEST

Whiteboard: advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-ok mga5-64-ok

nathan giovannini 2017-08-05 20:55:36 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-08-05 21:20:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0244.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.