Resolves: rhbz#1521211 CVE-2017-1000159

2017-12-06 14:29:19 +00:00 · 2017-12-06 14:29:19 +00:00 · 2c898301c1
commit 2c898301c1
parent 498f81749a
2 changed files with 48 additions and 1 deletions
--- a/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
+++ b/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
@ -0,0 +1,42 @@
+From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Fri, 14 Jul 2017 12:52:14 +0200
+Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename
+
+With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
+It exports to PDF via the dvipdfm tool.
+It calls that tool with the filename of the currently loaded document.
+If that filename is cleverly crafted, it can escape the currently
+used manual quoting of the filename.  Instead of manually quoting the
+filename, we use g_shell_quote.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784947
+---
+ backend/dvi/dvi-document.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
+index 4a896e2..2887770 100644
+--- a/backend/dvi/dvi-document.c
+++ b/backend/dvi/dvi-document.c
+@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
+ 	gboolean success;
+ 	
+ 	DviDocument *dvi_document = DVI_DOCUMENT(exporter);
+	gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
+ 	
+-	command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+	command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+ 					dvi_document->exporter_opts->str,
+ 					dvi_document->exporter_filename,
+-					dvi_document->context->filename);
+-	
+					quoted_filename);
+	g_free (quoted_filename);
+
+ 	success = g_spawn_command_line_sync (command_line,
+ 					     NULL,
+ 					     NULL,
+-- 
+2.9.5
+
--- a/evince.spec
+++ b/evince.spec
@ -5,7 +5,7 @@

 Name:           evince
 Version:        3.22.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Document viewer

 License:        GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse
@ -18,6 +18,8 @@ Patch2:         0001-Resolves-rhbz-1404656-crash-on-opening-second-evince.patch
 Patch3:         0001-sidebar-thumbnails-fix-clunky-scrolling.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1468488
 Patch4:         0001-comics-Remove-support-for-tar-and-tar-like-commands.patch
+#https://bugzilla.gnome.org/show_bug.cgi?id=784947
+Patch5:         0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch

 BuildRequires:  pkgconfig(adwaita-icon-theme)
 BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib2_version}
@ -260,6 +262,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null ||:
 %{_libdir}/mozilla/plugins/libevbrowserplugin.so

 %changelog
+* Wed Dec 06 2017 Caolán McNamara <caolanm@redhat.com> - 3.22.1-7
+- Resolves: rhbz#1521211 CVE-2017-1000159
+
 * Mon Jul 17 2017 Michael Stahl <mstahl@redhat.com> - 3.22.1-6
 - Resolves: rhbz#1471474 "" is an invalid MIME type