|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-1000159: evince: Command injection in evince 3.24.8 via filename when printing to PDF | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Michael Gorse <mgorse> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | astieger, jsegitz, smash_bz, sreeves |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/195688/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2017-1000159:5.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVSSv2:SUSE:CVE-2017-1000159:4.6:(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-1000159:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-1000159:4.6:(AV:L/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Marcus Meissner
2017-11-28 07:06:41 UTC
With bug 441319 came a DVI backend.
It's exporter (which seems to be triggered when printing to a PDF file) eventually calls g_spawn_command_line_sync with user supplied input, i.e. the filename of the file.
command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
dvi_document->exporter_opts->str,
dvi_document->exporter_filename,
dvi_document->context->filename);
If the file is cleverly named, it might be able to cause a command injection.
$ cat boom.tex
\documentclass{article}
\begin{document}
Boom
\end{document}
$ dvilualatex boom.tex
...
$ cp boom.dvi '/tmp/foo";touch boom;bar"'
$ evince /tmp/foo*boom*\;bar\"
Thread 1 "evince" hit Breakpoint 1, g_spawn_command_line_sync (
command_line=0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\"", standard_output=0x0,
standard_error=0x0, exit_status=0x7fff1f9f8d8c, error=0x7fff1f9f8d90) at /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c:716
716 /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c: No such file or directory.
(gdb) p command_line
$1 = (const gchar *) 0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\""
(gdb)
g_spawn_command_line_sync seems to call g_shell_parse_argv () which then results in something like
[pid 666] execve("/usr/bin/dvipdfm", ["dvipdfm", "-s", "1,", "-o", "/tmp/evince_print.pdf.U5B12Y", "/tmp/foo;touch", "boom;bar"], [/* 76 vars */]) = 0
Now it only added an unexpected parameter. But it seems likely that dvipdfm's -D switch is able to cause more harm (quoting from the documentation http://texdoc.net/texmf-dist/doc/dvipdfm/dvipdfm.pdf):
The user must specify the command line required to invoke an external program
to perform this conversion. The command line required to invoke the conversion
program is specified using the -D command line (or configuration file) option. The string passed to the -D command line option is a C-style string that is parsed by dvipdfm . Within the string, expansions are performed as described in
Table 5. For example, to use GhostScript, one might use the command line
-D "cat %i | gs -q -sDEVICE=pdfwrite -sOutputFile=%o - -c quit"
So if we managed to rename our document to something including -D and a scary command line, we might be screwed.
An easy mitigation for now, I think, is to call g_shell_quote instead of manually trying to escape as it's done now.
In [74]: fmt = "dvipdfm %s -o %s \"%s\""
In [75]: fn = '/tmp/foo";$(touch boom);bar"'
In [76]: GLib.shell_parse_argv(fmt % (1,2,fn))
Out[76]: (True, argvp=['dvipdfm', '1', '-o', '2', '/tmp/foo;$(touch', 'boom);bar'])
In [77]: GLib.shell_parse_argv(fmt % (1,2,GLib.shell_quote(fn)))
Out[77]: (True, argvp=['dvipdfm', '1', '-o', '2', "'/tmp/foo;$(touch", "boom);bar'"])
In [78]:
In addition, it seems to be clever to using absolute file paths instead in order to prevent a file named '-D foo' sneaking in. Because the g_shell_quote wouldn't prevent dvipdfm being called with a file name '-D foo' which then might cause the trouble mentioned above.
NB: g_spawn_command_line_sync does not seem to actually go through /bin/sh like a system() call would. Instead it seems to set up its own argv and calls execve.
is present in all sle11 and sle12 evinces. Adrien - can you take this one. (In reply to Scott Reeves from comment #3) > Adrien - can you take this one. I'm on it. your submission was rejected, can you please submit each codestream in a individual request? Thank you (In reply to Johannes Segitz from comment #6) > your submission was rejected, can you please submit each codestream in a > individual request? Thank you Mike - can you resubmit this. See the comments on the original submission. SUSE-SU-2018:0639-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): evince-2.28.2-0.7.3.1 SUSE Linux Enterprise Server 11-SP4 (src): evince-2.28.2-0.7.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): evince-2.28.2-0.7.3.1 SUSE-SU-2018:0947-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Server 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Desktop 12-SP3 (src): evince-3.20.2-6.22.9 release for Leap 42.3, closing as done openSUSE-SU-2018:0960-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: openSUSE Leap 42.3 (src): evince-3.20.2-9.1 |