Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 18:14:53 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-1000083: evince: Command injection
 vulnerability in CBT handler

On Fri, Jul 14, 2017 at 07:27:53PM -0500, Brandon Perry wrote:
> > On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz@...e.de> wrote:
> > This can be exploited by creating a tar archive with an embedded file
> > named something
> > like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
> > 
> > (Make sure evince is not sandboxed by apparmor before trying to reproduce
> > the attached POC)
> 
> Not sure if the list ate the attachment, but I don’t see it available.
> Perhaps a link to it somewhere else would be of use?

The attachment didn't make it through to the distros list either. When I
was testing just the tar portion of this, I skipped the / character in the
filename and added a 10MB zeroed file (truncate -s 10MB huge) to make sure
the checkpoint program gets run.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.