A security issue in evince has been announced on July 13: http://openwall.com/lists/oss-security/2017/07/13/5
Whiteboard: (none) => MGA6TOO
Ubuntu has issued an advisory for this on July 13: https://www.ubuntu.com/usn/usn-3351-1/ Mageia 5 is also affected.
Whiteboard: MGA6TOO => MGA6TOO, MGA5TOO
Patched package uploaded for Mageia 5. Updated (to 3.24.1) packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated evince packages fix security vulnerability: Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious cbt comic book format file that, when opened in Evince, executes arbitrary code. Please note that this update disables support for cbt files in Evince (CVE-2017-1000083). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000083 https://usn.ubuntu.com/usn/usn-3351-1/ ======================== Updated packages in core/updates_testing: ======================== evince-3.14.2-1.1.mga5 evince-dvi-3.14.2-1.1.mga5 libevdocument3_4-3.14.2-1.1.mga5 libevview3_3-3.14.2-1.1.mga5 libevince-devel-3.14.2-1.1.mga5 libevince-gir3.0-3.14.2-1.1.mga5 evince-3.24.1-1.mga6 evince-dvi-3.24.1-1.mga6 libevdocument3_4-3.24.1-1.mga6 libevview3_3-3.24.1-1.mga6 libevince-devel-3.24.1-1.mga6 libevince-gir3.0-3.24.1-1.mga6 from SRPMS: evince-3.14.2-1.1.mga5.src.rpm evince-3.24.1-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: olav => qa-bugsVersion: Cauldron => 6
Testing complete mga6 64 Couldn't find a cbt to test it with but it seems to open cbz before and after update, which I believe is the zipped variety rather than tar'd.
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO has_procedure mga6-64-ok
CC: (none) => nathan95Whiteboard: MGA5TOO has_procedure mga6-64-ok => MGA5TOO has_procedure mga6-64-ok mga6-32-ok
Whiteboard: MGA5TOO has_procedure mga6-64-ok mga6-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok
$ uname -a Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux The following 38 packages are going to be installed: - evince-3.14.2-1.1.mga5.i586 - evince-dvi-3.14.2-1.1.mga5.i586 - libevdocument3_4-3.14.2-1.1.mga5.i586 - libevince-gir3.0-3.14.2-1.1.mga5.i586 - libevview3_3-3.14.2-1.1.mga5.i586 - libfreetype2-1.3.1-45.mga5.i586 - libkpathsea6-20130530-21.1.mga5.i586 - libptexenc1-20130530-21.1.mga5.i586 - libt1lib5-5.1.2-18.mga5.i586 - libyaml0_2-0.1.6-4.mga5.i586 - libzziplib0-0.13.62-5.1.mga5.i586 - perl-Algorithm-Diff-1.190.200-8.mga5.noarch - perl-File-Slurp-Tiny-0.3.0-3.mga5.noarch - perl-File-Which-1.90.0-5.mga5.noarch - perl-Font-AFM-1.200.0-5.mga5.noarch - perl-HTML-Form-6.30.0-5.mga5.noarch - perl-HTML-Format-2.110.0-3.mga5.noarch - perl-HTML-Tree-5.30.0-10.mga5.noarch - perl-HTTP-Server-Simple-0.440.0-5.mga5.noarch - perl-IPC-Run3-0.48.0-3.mga5.noarch - perl-Probe-Perl-0.30.0-3.mga5.noarch - perl-Sub-Uplevel-0.240.0-6.mga5.noarch - perl-Test-Script-1.70.0-6.mga5.noarch - perl-Test-Warn-0.300.0-3.mga5.i586 - perl-Tk-804.33.0-1.mga5.i586 - perl-Tree-DAG_Node-1.220.0-4.mga5.noarch - perl-WWW-Mechanize-1.730.0-5.mga5.noarch - perl-XML-XPath-1.130.0-6.mga5.noarch - ruby-2.0.0.p648-1.3.mga5.i586 - ruby-irb-2.0.0.p648-1.3.mga5.noarch - ruby-json-1.8.1-3.mga5.i586 - ruby-rdoc-4.0.1-9.mga5.noarch - ruby-RubyGems-2.1.11-5.1.mga5.noarch - t1lib-config-5.1.2-18.mga5.i586 - texlive-20130530-21.1.mga5.i586 - texlive-collection-basic-20130530-10.mga5.noarch - texlive-dist-20130530-10.mga5.noarch - texlive-texmf-20130530-10.mga5.noarch 1.1GB of additional disk space will be used. 591MB of packages will be retrieved. ----- I created a cbt suffixed file from some pictures tar -cf picts.cbt 10.jpg 11.jpg 16.jpg 5.jp When I open this with evince it states it does not support TAR files. Am I missing an extension? I changed it to a cbz (used archive to create a compressed file of pictures in cbz format). I was able to view with evince without any errors.
Whiteboard: advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-okCC: (none) => brtians1
I installed Evince update on mga5-64. Tested it with cbt and cbz files. It noted cbt not supported and displayed cbz without an issue.
Whiteboard: advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-ok => advisory MGA5TOO has_procedure mga6-64-ok mga6-32-ok mga5-32-ok mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0244.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED