r52650 - in /desktop/unstable/evince/debian: changelog patches/comics-Remove-support-for-tar-and-tar-like-commands.patch patches/series
bigon at users.alioth.debian.org
bigon at users.alioth.debian.org
Thu Jul 13 13:46:47 UTC 2017
Author: bigon
Date: Thu Jul 13 13:46:47 2017
New Revision: 52650
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=52650
Log:
d/p/comics-Remove-support-for-tar-and-tar-like-commands.patch:
Fix possible command injection vulnerability in CBT handler, this patch
removes handling of the CBT file format completely and now requires unrar,
unzip or 7z to open cbr, cbz or cb7 files (CVE-2017-1000083)
Discovered by Felix Wilhelm from the Google Security Team.
Added:
desktop/unstable/evince/debian/patches/comics-Remove-support-for-tar-and-tar-like-commands.patch
Modified:
desktop/unstable/evince/debian/changelog
desktop/unstable/evince/debian/patches/series
Modified: desktop/unstable/evince/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/changelog?rev=52650&op=diff
==============================================================================
--- desktop/unstable/evince/debian/changelog [utf-8] (original)
+++ desktop/unstable/evince/debian/changelog [utf-8] Thu Jul 13 13:46:47 2017
@@ -1,3 +1,13 @@
+evince (3.22.1-4) UNRELEASED; urgency=high
+
+ * d/p/comics-Remove-support-for-tar-and-tar-like-commands.patch:
+ Fix possible command injection vulnerability in CBT handler, this patch
+ removes handling of the CBT file format completely and now requires unrar,
+ unzip or 7z to open cbr, cbz or cb7 files (CVE-2017-1000083)
+ Discovered by Felix Wilhelm from the Google Security Team.
+
+ -- Laurent Bigonville <bigon at debian.org> Thu, 13 Jul 2017 15:40:07 +0200
+
evince (3.22.1-3) unstable; urgency=medium
* Update AppArmor policy to support merged-/usr systems. (Closes: #846966)
Added: desktop/unstable/evince/debian/patches/comics-Remove-support-for-tar-and-tar-like-commands.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/patches/comics-Remove-support-for-tar-and-tar-like-commands.patch?rev=52650&op=file
==============================================================================
--- desktop/unstable/evince/debian/patches/comics-Remove-support-for-tar-and-tar-like-commands.patch (added)
+++ desktop/unstable/evince/debian/patches/comics-Remove-support-for-tar-and-tar-like-commands.patch [utf-8] Thu Jul 13 13:46:47 2017
@@ -0,0 +1,131 @@
+From fa072dbbfd964e85b4a54f8e34751cf62c77d0ea Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Thu, 6 Jul 2017 20:02:00 +0200
+Subject: comics: Remove support for tar and tar-like commands
+
+When handling tar files, or using a command with tar-compatible syntax,
+to open comic-book archives, both the archive name (the name of the
+comics file) and the filename (the name of a page within the archive)
+are quoted to not be interpreted by the shell.
+
+But the filename is completely with the attacker's control and can start
+with "--" which leads to tar interpreting it as a command line flag.
+
+This can be exploited by creating a CBT file (a tar archive with the
+.cbt suffix) with an embedded file named something like this:
+"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
+
+CBT files are infinitely rare (CBZ is usually used for DRM-free
+commercial releases, CBR for those from more dubious provenance), so
+removing support is the easiest way to avoid the bug triggering. All
+this code was rewritten in the development release for GNOME 3.26 to not
+shell out to any command, closing off this particular attack vector.
+
+This also removes the ability to use libarchive's bsdtar-compatible
+binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
+are already supported by unzip and 7zip respectively. libarchive's RAR
+support is limited, so unrar is a requirement anyway.
+
+Discovered by Felix Wilhelm from the Google Security Team.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784630
+---
+ backend/comics/comics-document.c | 40 +---------------------------------------
+ configure.ac | 2 +-
+ 2 files changed, 2 insertions(+), 40 deletions(-)
+
+diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c
+index 96ed26e..3af119a 100644
+--- a/backend/comics/comics-document.c
++++ b/backend/comics/comics-document.c
+@@ -56,8 +56,7 @@ typedef enum
+ RARLABS,
+ GNAUNRAR,
+ UNZIP,
+- P7ZIP,
+- TAR
++ P7ZIP
+ } ComicBookDecompressType;
+
+ typedef struct _ComicsDocumentClass ComicsDocumentClass;
+@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = {
+
+ /* 7zip */
+ {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
+-
+- /* tar */
+- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET}
+ };
+
+ static GSList* get_supported_image_extensions (void);
+@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = GNAUNRAR;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+-
+ } else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
+ g_content_type_is_a (mime_type, "application/zip")) {
+ /* InfoZIP's unzip program */
+@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = P7ZIP;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+
+ } else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
+ g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
+@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = P7ZIP;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+- } else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
+- g_content_type_is_a (mime_type, "application/x-tar")) {
+- /* tar utility (Tape ARchive) */
+- comics_document->selected_command =
+- g_find_program_in_path ("tar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+ } else {
+ g_set_error (error,
+ EV_DOCUMENT_ERROR,
+diff --git a/configure.ac b/configure.ac
+index 36e866a..26a1a7d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
+ AC_SUBST(APPDATA_TIFF_MIME_TYPES)
+ AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
+ if test "x$enable_comics" = "xyes"; then
+- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
++ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
+ APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g')
+ if test -z "$EVINCE_MIME_TYPES"; then
+ EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
+--
+cgit v0.12
+
Modified: desktop/unstable/evince/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/patches/series?rev=52650&op=diff
==============================================================================
--- desktop/unstable/evince/debian/patches/series [utf-8] (original)
+++ desktop/unstable/evince/debian/patches/series [utf-8] Thu Jul 13 13:46:47 2017
@@ -1 +1,2 @@
01_nautilus_extension_path.patch
+comics-Remove-support-for-tar-and-tar-like-commands.patch
More information about the pkg-gnome-commits
mailing list