oss-sec mailing list archives
Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler
From: Marcus Meissner <meissner () suse de>
Date: Mon, 4 Sep 2017 14:41:07 +0200
This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg" (Make sure evince is not sandboxed by apparmor before trying to reproduce the attached POC)Not sure if the list ate the attachment, but I don’t see it available. Perhaps a link to it somewhere else would be of use?
Sebastian Krahmer of SUSE recreated one that starts xeyes. https://bugzilla.suse.com/show_bug.cgi?id=1046856 ( attachment link https://bugzilla.suse.com/attachment.cgi?id=739314 ) Ciao, Marcus
Current thread:
- CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Johannes Segitz (Jul 13)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Hanno Böck (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Brandon Perry (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Seth Arnold (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Marcus Meissner (Sep 04)