Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 18:14:53 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-1000083: evince: Command injection
 vulnerability in CBT handler

On Fri, Jul 14, 2017 at 07:27:53PM -0500, Brandon Perry wrote:
> > On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz@...e.de> wrote:
> > This can be exploited by creating a tar archive with an embedded file
> > named something
> > like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
> > 
> > (Make sure evince is not sandboxed by apparmor before trying to reproduce
> > the attached POC)
> 
> Not sure if the list ate the attachment, but I don’t see it available.
> Perhaps a link to it somewhere else would be of use?

The attachment didn't make it through to the distros list either. When I
was testing just the tar portion of this, I skipped the / character in the
filename and added a 10MB zeroed file (truncate -s 10MB huge) to make sure
the checkpoint program gets run.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ