Debian has issued an advisory on July 21: https://www.debian.org/security/2017/dsa-3916 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Fixed in cauldron svn too. src.rpm: atril-1.18.0-1.1.mga6
Version: Cauldron => 6Assignee: tarakbumba => qa-bugsCC: (none) => mageiaWhiteboard: MGA6TOO, MGA5TOO => MGA5TOO
fix pushed for mga5 too: src.rpm: atril-1.8.1-3.1.mga5
Advisory: ======================== Updated atril packages fix security vulnerability: It was discovered that Atril made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely (CVE-2017-1000083). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000083 https://www.debian.org/security/2017/dsa-3916 ======================== Updated packages in core/updates_testing: ======================== atril-1.8.1-3.1.mga5 atril-dvi-1.8.1-3.1.mga5 libatril3-1.8.1-3.1.mga5 libatril-gir1.5.0-1.8.1-3.1.mga5 libatril-devel-1.8.1-3.1.mga5 atril-1.18.0-1.1.mga6 atril-dvi-1.18.0-1.1.mga6 libatril3-1.18.0-1.1.mga6 libatril-gir1.5.0-1.18.0-1.1.mga6 libatril-devel-1.18.0-1.1.mga6 from SRPMS: atril-1.8.1-3.1.mga5.src.rpm atril-1.18.0-1.1.mga6.src.rpm
MGA6-32 on Asus A6000VM MATE No installation issues. Checked a few pdf files, one 32 pages with pictures in, all OK.
Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OKCC: (none) => herman.viaene
Testing Mageia 5 64-bit BEFORE update: atril-1.8.1-3.mga5 lib64atril3-1.8.1-3.mga5 atril-dvi-1.8.1-3.mga5 Known to work. I tried renaming a .pdf file to .cbt, but that displayed correctly as if PDF. AFTER update: atril-1.8.1-3.1.mga5 atril-dvi-1.8.1-3.1.mga5 lib64atril3-1.8.1-3.1.mga5 Viwed local PDF files, also a DVI one, OK. The false .cbt file again displayed as the PDF document it really was. Looking at library usage: $ strace 2>&1 atril 150528.pdf | grep libatril open("/lib64/libatrildocument.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libatrilview.so.3", O_RDONLY|O_CLOEXEC) = 3 but for DVI: $ atril splash.dvi open("/lib64/libatrildocument.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libatrilview.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/atril/3/backends/dvidocument.atril-backend", O_RDONLY) = 7 Validating this as it has 1 of each M5/M6 and 32/64 bit; advisory to follow.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Advisory uploaded, from Comment 3.
Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0251.html
Status: NEW => RESOLVEDResolution: (none) => FIXED