diff --git a/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch b/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch new file mode 100644 index 0000000..486a665 --- /dev/null +++ b/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch @@ -0,0 +1,42 @@ +From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001 +From: Tobias Mueller +Date: Fri, 14 Jul 2017 12:52:14 +0200 +Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename + +With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. +It exports to PDF via the dvipdfm tool. +It calls that tool with the filename of the currently loaded document. +If that filename is cleverly crafted, it can escape the currently +used manual quoting of the filename. Instead of manually quoting the +filename, we use g_shell_quote. + +https://bugzilla.gnome.org/show_bug.cgi?id=784947 +--- + backend/dvi/dvi-document.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c +index 4a896e2..2887770 100644 +--- a/backend/dvi/dvi-document.c ++++ b/backend/dvi/dvi-document.c +@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter) + gboolean success; + + DviDocument *dvi_document = DVI_DOCUMENT(exporter); ++ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); + +- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ ++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + dvi_document->exporter_opts->str, + dvi_document->exporter_filename, +- dvi_document->context->filename); +- ++ quoted_filename); ++ g_free (quoted_filename); ++ + success = g_spawn_command_line_sync (command_line, + NULL, + NULL, +-- +2.9.5 + diff --git a/evince.spec b/evince.spec index bb753c3..884a6fa 100644 --- a/evince.spec +++ b/evince.spec @@ -5,7 +5,7 @@ Name: evince Version: 3.22.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Document viewer License: GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse @@ -18,6 +18,8 @@ Patch2: 0001-Resolves-rhbz-1404656-crash-on-opening-second-evince.patch Patch3: 0001-sidebar-thumbnails-fix-clunky-scrolling.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1468488 Patch4: 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch +#https://bugzilla.gnome.org/show_bug.cgi?id=784947 +Patch5: 0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch BuildRequires: pkgconfig(adwaita-icon-theme) BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib2_version} @@ -260,6 +262,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null ||: %{_libdir}/mozilla/plugins/libevbrowserplugin.so %changelog +* Wed Dec 06 2017 Caolán McNamara - 3.22.1-7 +- Resolves: rhbz#1521211 CVE-2017-1000159 + * Mon Jul 17 2017 Michael Stahl - 3.22.1-6 - Resolves: rhbz#1471474 "" is an invalid MIME type