Описание
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program.
Меры по смягчению последствий
- Disabling evince-thumbnailer to render icons will reduce the attack surface (removing /usr/share/thumbnailers/evince.thumbnailer).
- SELinux in enforcing mode partially restricts evince-thumbnailer
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | evince | Not affected | ||
| Red Hat Enterprise Linux 6 | evince | Not affected | ||
| Red Hat Enterprise Linux 7 | evince | Fixed | RHSA-2017:2388 | 01.08.2017 |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
backend/comics/comics-document.c (aka the comic book backend) in GNOME ...
7.1 High
CVSS3