Date: Tue, 22 Aug 2017 18:22:06 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r448575 - head/security/vuxml Message-ID: <201708221822.v7MIM61e037023@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Tue Aug 22 18:22:05 2017 New Revision: 448575 URL: https://svnweb.freebsd.org/changeset/ports/448575 Log: Document security vulnerability in evince and atril PR: 220713 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Aug 22 17:42:39 2017 (r448574) +++ head/security/vuxml/vuln.xml Tue Aug 22 18:22:05 2017 (r448575) @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="01a197ca-67f1-11e7-a266-28924a333806"> + <topic>evince and atril -- command injection vulnerability in CBT handler</topic> + <affects> + <package> + <name>evince</name> + <range><le>3.24.0</le></range> + </package> + <package> + <name>evince-lite</name> + <range><le>3.24.0</le></range> + </package> + <package> + <name>atril</name> + <range><le>1.19.0</le></range> + </package> + <package> + <name>atril-lite</name> + <range><le>1.19.0</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>GNOME reports:</p> + <blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=784630">; + <p>The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.</p> + <p>The same vulnerabilty affects atril, the Evince fork.</p> + </blockquote> + </body> + </description> + <references> + <url>https://bugzilla.gnome.org/show_bug.cgi?id=784630</url>; + <url>https://github.com/mate-desktop/atril/issues/257</url>; + <cvename>CVE-2017-1000083</cvename> + </references> + <dates> + <discovery>2017-07-06</discovery> + <entry>2017-07-13</entry> + </dates> + </vuln> + <vuln vid="e1de77e8-c45e-48d7-8866-5a6f943046de"> <topic>SquirrelMail -- post-authentication remote code execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708221822.v7MIM61e037023>