Bug 21326 - atril new security issue CVE-2017-1000083
Summary: atril new security issue CVE-2017-1000083
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-22 22:43 CEST by David Walser
Modified: 2017-08-08 22:25 CEST (History)
4 users (show)

See Also:
Source RPM: atril-1.18.0-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-07-22 22:43:40 CEST 
Debian has issued an advisory on July 21:
https://www.debian.org/security/2017/dsa-3916

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-07-22 22:43:47 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-07-27 01:15:39 CEST 
Fixed in cauldron svn too.

src.rpm: atril-1.18.0-1.1.mga6

Version: Cauldron => 6
Assignee: tarakbumba => qa-bugs
CC: (none) => mageia
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 2 Nicolas Lécureuil 2017-07-27 01:34:24 CEST 
fix pushed for mga5 too:  


src.rpm: atril-1.8.1-3.1.mga5
Comment 3 David Walser 2017-07-27 02:02:34 CEST 
Advisory:
========================

Updated atril packages fix security vulnerability:

It was discovered that Atril made insecure use of tar when opening tar comic
book archives (CBT). Opening a malicious CBT archive could result in the
execution of arbitrary code. This update disables the CBT format entirely
(CVE-2017-1000083).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000083
https://www.debian.org/security/2017/dsa-3916
========================

Updated packages in core/updates_testing:
========================
atril-1.8.1-3.1.mga5
atril-dvi-1.8.1-3.1.mga5
libatril3-1.8.1-3.1.mga5
libatril-gir1.5.0-1.8.1-3.1.mga5
libatril-devel-1.8.1-3.1.mga5
atril-1.18.0-1.1.mga6
atril-dvi-1.18.0-1.1.mga6
libatril3-1.18.0-1.1.mga6
libatril-gir1.5.0-1.18.0-1.1.mga6
libatril-devel-1.18.0-1.1.mga6

from SRPMS:
atril-1.8.1-3.1.mga5.src.rpm
atril-1.18.0-1.1.mga6.src.rpm
Comment 4 Herman Viaene 2017-08-02 14:27:55 CEST 
MGA6-32 on Asus A6000VM MATE
No installation issues.
Checked a few pdf files, one 32 pages with pictures in, all OK.

Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2017-08-08 21:31:12 CEST 
Testing Mageia 5 64-bit

BEFORE update:
 atril-1.8.1-3.mga5
 lib64atril3-1.8.1-3.mga5
 atril-dvi-1.8.1-3.mga5
Known to work. I tried renaming a .pdf file to .cbt, but that displayed correctly as if PDF.
AFTER update:
 atril-1.8.1-3.1.mga5
 atril-dvi-1.8.1-3.1.mga5
 lib64atril3-1.8.1-3.1.mga5
Viwed local PDF files, also a DVI one, OK. The false .cbt file again displayed as the PDF document it really was.

Looking at library usage:
 $ strace 2>&1 atril 150528.pdf | grep libatril
 open("/lib64/libatrildocument.so.3", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libatrilview.so.3", O_RDONLY|O_CLOEXEC) = 3
but for DVI:
 $ atril splash.dvi
 open("/lib64/libatrildocument.so.3", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libatrilview.so.3", O_RDONLY|O_CLOEXEC) = 3
 open("/usr/lib64/atril/3/backends/dvidocument.atril-backend", O_RDONLY) = 7

Validating this as it has 1 of each M5/M6 and 32/64 bit; advisory to follow.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Lewis Smith 2017-08-08 21:39:50 CEST 
Advisory uploaded, from Comment 3.

Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2017-08-08 22:25:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0251.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.