Date: Fri, 14 Jul 2017 18:14:53 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler On Fri, Jul 14, 2017 at 07:27:53PM -0500, Brandon Perry wrote: > > On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz@...e.de> wrote: > > This can be exploited by creating a tar archive with an embedded file > > named something > > like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg" > > > > (Make sure evince is not sandboxed by apparmor before trying to reproduce > > the attached POC) > > Not sure if the list ate the attachment, but I don’t see it available. > Perhaps a link to it somewhere else would be of use? The attachment didn't make it through to the distros list either. When I was testing just the tar portion of this, I skipped the / character in the filename and added a 10MB zeroed file (truncate -s 10MB huge) to make sure the checkpoint program gets run. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ