Resolves: rhbz#1521212 CVE-2017-1000159

2017-12-06 11:27:27 +00:00 · 2017-12-06 11:27:27 +00:00 · 50afed4a2d
commit 50afed4a2d
parent cb92710900
2 changed files with 48 additions and 1 deletions
--- a/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
+++ b/0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
@ -0,0 +1,42 @@
+From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Fri, 14 Jul 2017 12:52:14 +0200
+Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename
+
+With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
+It exports to PDF via the dvipdfm tool.
+It calls that tool with the filename of the currently loaded document.
+If that filename is cleverly crafted, it can escape the currently
+used manual quoting of the filename.  Instead of manually quoting the
+filename, we use g_shell_quote.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784947
+---
+ backend/dvi/dvi-document.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
+index 4a896e2..2887770 100644
+--- a/backend/dvi/dvi-document.c
+++ b/backend/dvi/dvi-document.c
+@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
+ 	gboolean success;
+ 	
+ 	DviDocument *dvi_document = DVI_DOCUMENT(exporter);
+	gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
+ 	
+-	command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+	command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+ 					dvi_document->exporter_opts->str,
+ 					dvi_document->exporter_filename,
+-					dvi_document->context->filename);
+-	
+					quoted_filename);
+	g_free (quoted_filename);
+
+ 	success = g_spawn_command_line_sync (command_line,
+ 					     NULL,
+ 					     NULL,
+-- 
+2.9.5
+
--- a/evince.spec
+++ b/evince.spec
@ -5,7 +5,7 @@

 Name:           evince
 Version:        3.24.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Document viewer

 License:        GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse
@ -20,6 +20,8 @@ Patch3:         0001-Resolves-deb-762530-rhbz-1061177-add-man-pages.patch
 Patch4:         0001-Resolves-rhbz-1358249-page-up-down.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=1468488
 Patch5:         evince-libarchive-gnome-3-24.patch
+#https://bugzilla.gnome.org/show_bug.cgi?id=784947
+Patch6:         0001-dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch

 BuildRequires:  pkgconfig(adwaita-icon-theme)
 BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib2_version}
@ -266,6 +268,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null ||:
 %{_libdir}/mozilla/plugins/libevbrowserplugin.so

 %changelog
+* Wed Dec 06 2017 Caolán McNamara <caolanm@redhat.com> - 3.24.2-2
+- Resolves: rhbz#1521212 CVE-2017-1000159
+
 * Tue Oct 10 2017 David Tardon <dtardon@redhat.com> - 3.24.2-1
 - Resolves: rhbz#1499852 update to 3.24.2