Bug 1070046 - (CVE-2017-1000159) VUL-0: CVE-2017-1000159: evince: Command injection in evince 3.24.8 via filename when printing to PDF
(CVE-2017-1000159)
VUL-0: CVE-2017-1000159: evince: Command injection in evince 3.24.8 via filen...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Gorse
Security Team bot
https://smash.suse.de/issue/195688/
CVSSv3:SUSE:CVE-2017-1000159:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-28 07:06 UTC by Marcus Meissner
Modified: 2018-04-16 22:42 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-11-28 07:06:41 UTC
CVE-2017-1000159

Command injection in evince 3.24.8 via filename when printing to PDF

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000159
https://bugzilla.gnome.org/show_bug.cgi?id=784947
Comment 1 Marcus Meissner 2017-11-28 07:09:13 UTC

With bug 441319 came a DVI backend.

It's exporter (which seems to be triggered when printing to a PDF file) eventually calls g_spawn_command_line_sync with user supplied input, i.e. the filename of the file.

        command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
                                        dvi_document->exporter_opts->str,
                                        dvi_document->exporter_filename,
                                        dvi_document->context->filename);


If the file is cleverly named, it might be able to cause a command injection.

$ cat boom.tex 
\documentclass{article}
\begin{document}
Boom
\end{document}
$ dvilualatex boom.tex
...
$ cp boom.dvi  '/tmp/foo";touch boom;bar"'
$ evince /tmp/foo*boom*\;bar\"

Thread 1 "evince" hit Breakpoint 1, g_spawn_command_line_sync (
    command_line=0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\"", standard_output=0x0, 
    standard_error=0x0, exit_status=0x7fff1f9f8d8c, error=0x7fff1f9f8d90) at /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c:716
716	/build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c: No such file or directory.
(gdb) p command_line
$1 = (const gchar *) 0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\""
(gdb) 

g_spawn_command_line_sync seems to call g_shell_parse_argv () which then results in something like

[pid   666] execve("/usr/bin/dvipdfm", ["dvipdfm", "-s", "1,", "-o", "/tmp/evince_print.pdf.U5B12Y", "/tmp/foo;touch", "boom;bar"], [/* 76 vars */]) = 0

Now it only added an unexpected parameter. But it seems likely that dvipdfm's -D switch is able to cause more harm (quoting from the documentation http://texdoc.net/texmf-dist/doc/dvipdfm/dvipdfm.pdf):

The user must specify the command line required to invoke an external program
to perform this conversion. The command line required to invoke the conversion
program is specified using the -D command line (or configuration file) option. The string passed to the -D command line option is a C-style string that is parsed by dvipdfm . Within the string, expansions are performed as described in
Table 5. For example, to use GhostScript, one might use the command line
-D "cat %i | gs -q -sDEVICE=pdfwrite -sOutputFile=%o - -c quit"

So if we managed to rename our document to something including -D and a scary command line, we might be screwed.

An easy mitigation for now, I think, is to call  g_shell_quote  instead of manually trying to escape as it's done now.

In [74]: fmt = "dvipdfm %s -o %s \"%s\""

In [75]: fn = '/tmp/foo";$(touch boom);bar"'

In [76]: GLib.shell_parse_argv(fmt % (1,2,fn))
Out[76]: (True, argvp=['dvipdfm', '1', '-o', '2', '/tmp/foo;$(touch', 'boom);bar'])

In [77]: GLib.shell_parse_argv(fmt % (1,2,GLib.shell_quote(fn)))
Out[77]: (True, argvp=['dvipdfm', '1', '-o', '2', "'/tmp/foo;$(touch", "boom);bar'"])

In [78]: 

In addition, it seems to be clever to using absolute file paths instead in order to prevent a file named '-D foo' sneaking in. Because the g_shell_quote wouldn't prevent dvipdfm being called with a file name '-D foo' which then might cause the trouble mentioned above.

NB: g_spawn_command_line_sync does not seem to actually go through /bin/sh like a system() call would. Instead it seems to set up its own argv and calls execve.
Comment 2 Marcus Meissner 2017-11-28 07:26:34 UTC
is present in all sle11 and sle12 evinces.
Comment 3 Scott Reeves 2017-11-29 20:49:00 UTC
Adrien - can you take this one.
Comment 4 Adrien Plazas 2017-12-04 13:53:53 UTC
(In reply to Scott Reeves from comment #3)
> Adrien - can you take this one.

I'm on it.
Comment 6 Johannes Segitz 2018-02-16 10:29:33 UTC
your submission was rejected, can you please submit each codestream in a individual request? Thank you
Comment 7 Scott Reeves 2018-02-24 00:58:58 UTC
(In reply to Johannes Segitz from comment #6)
> your submission was rejected, can you please submit each codestream in a
> individual request? Thank you

Mike - can you resubmit this. See the comments on the original submission.
Comment 10 Swamp Workflow Management 2018-03-08 20:13:07 UTC
SUSE-SU-2018:0639-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1070046
CVE References: CVE-2017-1000159
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    evince-2.28.2-0.7.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    evince-2.28.2-0.7.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    evince-2.28.2-0.7.3.1
Comment 11 Swamp Workflow Management 2018-04-16 10:11:39 UTC
SUSE-SU-2018:0947-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1070046
CVE References: CVE-2017-1000159
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    evince-3.20.2-6.22.9
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    evince-3.20.2-6.22.9
SUSE Linux Enterprise Server 12-SP3 (src):    evince-3.20.2-6.22.9
SUSE Linux Enterprise Desktop 12-SP3 (src):    evince-3.20.2-6.22.9
Comment 12 Andreas Stieger 2018-04-16 19:08:56 UTC
release for Leap 42.3, closing as done
Comment 13 Swamp Workflow Management 2018-04-16 22:08:59 UTC
openSUSE-SU-2018:0960-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1070046
CVE References: CVE-2017-1000159
Sources used:
openSUSE Leap 42.3 (src):    evince-3.20.2-9.1