Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Jul 2017 18:22:35 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 220713] security/vuxml: Document security vulnerability in evince and atril (CVE-2017-1000083)
Message-ID:  <bug-220713-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220713

            Bug ID: 220713
           Summary: security/vuxml: Document security vulnerability in
                    evince and atril (CVE-2017-1000083)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://bugzilla.gnome.org/show_bug.cgi?id=3D784630
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: vlad-fbsd@acheronmedia.com
                CC: gnome@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)
          Assignee: ports-secteam@FreeBSD.org

Created attachment 184333
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184333&action=
=3Dedit
Document CVE-2017-1000083 (evince)

The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a
command injection bug that can be used to execute arbitrary commands when a=
 cbt
file is opened.

The evince port in FreeBSD builds with Comic book archives support enabled =
by
default (COMICS=3Don).

* Upstream bug report with details:

  https://bugzilla.gnome.org/show_bug.cgi?id=3D784630

While the report itself only mentions version 3.24.0, the patch has been
backported to earlier versions, and Debian has issued a DSA for all its
supported versions, so I'm assuming everything up to and including 3.24.0 is
vulnerable to this:

* https://security-tracker.debian.org/tracker/CVE-2017-1000083

Also affected is graphics/atril, fork of Evince for MATE desktop, I'm assum=
ing
up to and including 1.19.0:

* https://github.com/mate-desktop/atril/issues/257

Attached is a patch for vuxml.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-220713-13>