oss-sec mailing list archives

Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler

From: Marcus Meissner <meissner () suse de>
Date: Mon, 4 Sep 2017 14:41:07 +0200

This can be exploited by creating a tar archive with an embedded file
named something
like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

(Make sure evince is not sandboxed by apparmor before trying to reproduce
the attached POC)


Not sure if the list ate the attachment, but I don’t see it available. Perhaps a link to it somewhere else would be 
of use?


Sebastian Krahmer of SUSE recreated one that starts xeyes.

https://bugzilla.suse.com/show_bug.cgi?id=1046856

        ( attachment link https://bugzilla.suse.com/attachment.cgi?id=739314 ) 

Ciao, Marcus

Current thread:

CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Johannes Segitz (Jul 13)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Hanno Böck (Jul 14)
- Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Brandon Perry (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Seth Arnold (Jul 14)
  - Re: CVE-2017-1000083: evince: Command injection vulnerability in CBT handler Marcus Meissner (Sep 04)