oss-sec mailing list archives
Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 14 Jul 2017 18:14:53 -0700
On Fri, Jul 14, 2017 at 07:27:53PM -0500, Brandon Perry wrote:
On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz () suse de> wrote: This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg" (Make sure evince is not sandboxed by apparmor before trying to reproduce the attached POC)Not sure if the list ate the attachment, but I don’t see it available. Perhaps a link to it somewhere else would be of use?
The attachment didn't make it through to the distros list either. When I was testing just the tar portion of this, I skipped the / character in the filename and added a 10MB zeroed file (truncate -s 10MB huge) to make sure the checkpoint program gets run. Thanks
Attachment:
signature.asc
Description:
Current thread:
- CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Johannes Segitz (Jul 13)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Hanno Böck (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Brandon Perry (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Seth Arnold (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Marcus Meissner (Sep 04)