oss-sec mailing list archives

Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler

From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 14 Jul 2017 18:14:53 -0700

On Fri, Jul 14, 2017 at 07:27:53PM -0500, Brandon Perry wrote:

On Jul 13, 2017, at 10:43 AM, Johannes Segitz <jsegitz () suse de> wrote:
This can be exploited by creating a tar archive with an embedded file
named something
like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

(Make sure evince is not sandboxed by apparmor before trying to reproduce
the attached POC)


Not sure if the list ate the attachment, but I don’t see it available.
Perhaps a link to it somewhere else would be of use?


The attachment didn't make it through to the distros list either. When I
was testing just the tar portion of this, I skipped the / character in the
filename and added a 10MB zeroed file (truncate -s 10MB huge) to make sure
the checkpoint program gets run.

Thanks

Attachment: signature.asc
Description:

Current thread:

CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Johannes Segitz (Jul 13)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Hanno Böck (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Brandon Perry (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Seth Arnold (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Marcus Meissner (Sep 04)