backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

This update for evince fixes the following issues: Security issue fixed :

  - CVE-2017-1000083: Remove support for tar and tar-like     commands in comics backend (bsc#1046856).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for evince fixes the following issues :

Security issue fixed :

  - CVE-2017-1000083: Remove support for tar and tar-like     commands in comics backend (bsc#1046856).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for evince fixes the following issue :

  - CVE-2017-1000083: Remote attackers could have used the     comicbook mode of evince to inject shell code     (bsc#1046856).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the evince packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - It was found that evince did not properly sanitize the     command line which is run to untar Comic Book Tar (CBT)     files, thereby allowing command injection. A specially     crafted CBT file, when opened by evince or     evince-thumbnailer, could execute arbitrary commands in     the context of the evince program. (CVE-2017-1000083)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for evince is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The evince packages provide a simple multi-page document viewer for Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS) files, and, with additional back-ends, also the Device Independent File format (DVI) files.

Security Fix(es) :

* It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program. (CVE-2017-1000083)

Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue.

GNOME reports :

The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.

The same vulnerability affects atril, the Evince fork.

Security Fix(es) :

  - It was found that evince did not properly sanitize the     command line which is run to untar Comic Book Tar (CBT)     files, thereby allowing command injection. A specially     crafted CBT file, when opened by evince or evince-     thumbnailer, could execute arbitrary commands in the     context of the evince program. (CVE-2017-1000083)

- CVE-2017-1000083: Evince command injection vulnerability     in CBT handler (#1468488)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2017-2388 advisory.

    [3.22.1-5.2]
    - Related: #1469528 ensure .desktop file is still valid

    [3.22.1-5.1]     + Fix arbitrary code execution via filename in tar-compressed       comics archive
    - Resolves: #1469528

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for evince fixes the following issues :

  - CVE-2017-1000083: Remote attackers could have used the     comicbook mode of evince to inject shell code.
    (bsc#1046856, bgo#784630)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

It was discovered that Atril, the MATE document viewer, made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code.
This update disables the CBT format entirely.

This update for evince fixes the following issues :

  - CVE-2017-1000083: Remote attackers could have used the     comicbook mode of evince to inject shell code.
    (bsc#1046856, bgo#784630)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

from the Google Security Team discovered that the Evince document viewer made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely.

For Debian 7 'Wheezy', these problems have been fixed in version 3.4.0-3.1+deb7u1.

We recommend that you upgrade your evince packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Felix Wilhelm discovered that the Evince document viewer made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code.
This update disables the CBT format entirely.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3351-1 advisory.

    Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files.
    An attacker could use this to construct a malicious cbt comic book format file that, when opened in     Evince, executes arbitrary code. Please note that this update disables support for cbt files in Evince.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
105463	SUSE SLED12 / SLES12 Security Update : evince (SUSE-SU-2017:3428-1)	Nessus	SuSE Local Security Checks	high
105456	openSUSE Security Update : evince (openSUSE-2017-1417)	Nessus	SuSE Local Security Checks	high
103111	SUSE SLED12 / SLES12 Security Update : evince (SUSE-SU-2017:2390-1)	Nessus	SuSE Local Security Checks	high
103080	EulerOS 2.0 SP2 : evince (EulerOS-SA-2017-1222)	Nessus	Huawei Local Security Checks	high
103079	EulerOS 2.0 SP1 : evince (EulerOS-SA-2017-1221)	Nessus	Huawei Local Security Checks	high
102761	CentOS 7 : evince (CESA-2017:2388)	Nessus	CentOS Local Security Checks	high
102687	FreeBSD : evince and atril -- command injection vulnerability in CBT handler (01a197ca-67f1-11e7-a266-28924a333806)	Nessus	FreeBSD Local Security Checks	high
102660	Scientific Linux Security Update : evince on SL7.x x86_64 (20170802)	Nessus	Scientific Linux Local Security Checks	high
102375	Fedora 24 : evince (2017-06c1422db8)	Nessus	Fedora Local Security Checks	high
102343	Oracle Linux 7 : evince (ELSA-2017-2388)	Nessus	Oracle Linux Local Security Checks	high
102118	RHEL 7 : evince (RHSA-2017:2388)	Nessus	Red Hat Local Security Checks	high
101968	openSUSE Security Update : evince (openSUSE-2017-834)	Nessus	SuSE Local Security Checks	high
101910	Debian DSA-3916-1 : atril - security update	Nessus	Debian Local Security Checks	high
101808	SUSE SLES12 Security Update : evince (SUSE-SU-2017:1894-1)	Nessus	SuSE Local Security Checks	high
101807	SUSE SLED12 Security Update : evince (SUSE-SU-2017:1893-1)	Nessus	SuSE Local Security Checks	high
101792	Debian DLA-1031-1 : evince security update	Nessus	Debian Local Security Checks	high
101780	Fedora 25 : evince (2017-cdead07e99)	Nessus	Fedora Local Security Checks	high
101575	Fedora 26 : evince (2017-0f75ee2f38)	Nessus	Fedora Local Security Checks	high
101556	Debian DSA-3911-1 : evince - security update	Nessus	Debian Local Security Checks	high
101545	Ubuntu 14.04 LTS / 16.04 LTS : Evince vulnerability (USN-3351-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2017-1000083

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high