Bugzilla – Bug 1070046
VUL-0: CVE-2017-1000159: evince: Command injection in evince 3.24.8 via filename when printing to PDF
Last modified: 2018-04-16 22:42:30 UTC
CVE-2017-1000159 Command injection in evince 3.24.8 via filename when printing to PDF References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000159 https://bugzilla.gnome.org/show_bug.cgi?id=784947
With bug 441319 came a DVI backend. It's exporter (which seems to be triggered when printing to a PDF file) eventually calls g_spawn_command_line_sync with user supplied input, i.e. the filename of the file. command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ dvi_document->exporter_opts->str, dvi_document->exporter_filename, dvi_document->context->filename); If the file is cleverly named, it might be able to cause a command injection. $ cat boom.tex \documentclass{article} \begin{document} Boom \end{document} $ dvilualatex boom.tex ... $ cp boom.dvi '/tmp/foo";touch boom;bar"' $ evince /tmp/foo*boom*\;bar\" Thread 1 "evince" hit Breakpoint 1, g_spawn_command_line_sync ( command_line=0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\"", standard_output=0x0, standard_error=0x0, exit_status=0x7fff1f9f8d8c, error=0x7fff1f9f8d90) at /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c:716 716 /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gspawn.c: No such file or directory. (gdb) p command_line $1 = (const gchar *) 0x55a324e9eb40 "dvipdfm -s 1, -o /tmp/evince_print.pdf.0ZO72Y \"/tmp/foo\";touch boom;bar\"\"" (gdb) g_spawn_command_line_sync seems to call g_shell_parse_argv () which then results in something like [pid 666] execve("/usr/bin/dvipdfm", ["dvipdfm", "-s", "1,", "-o", "/tmp/evince_print.pdf.U5B12Y", "/tmp/foo;touch", "boom;bar"], [/* 76 vars */]) = 0 Now it only added an unexpected parameter. But it seems likely that dvipdfm's -D switch is able to cause more harm (quoting from the documentation http://texdoc.net/texmf-dist/doc/dvipdfm/dvipdfm.pdf): The user must specify the command line required to invoke an external program to perform this conversion. The command line required to invoke the conversion program is specified using the -D command line (or configuration file) option. The string passed to the -D command line option is a C-style string that is parsed by dvipdfm . Within the string, expansions are performed as described in Table 5. For example, to use GhostScript, one might use the command line -D "cat %i | gs -q -sDEVICE=pdfwrite -sOutputFile=%o - -c quit" So if we managed to rename our document to something including -D and a scary command line, we might be screwed. An easy mitigation for now, I think, is to call g_shell_quote instead of manually trying to escape as it's done now. In [74]: fmt = "dvipdfm %s -o %s \"%s\"" In [75]: fn = '/tmp/foo";$(touch boom);bar"' In [76]: GLib.shell_parse_argv(fmt % (1,2,fn)) Out[76]: (True, argvp=['dvipdfm', '1', '-o', '2', '/tmp/foo;$(touch', 'boom);bar']) In [77]: GLib.shell_parse_argv(fmt % (1,2,GLib.shell_quote(fn))) Out[77]: (True, argvp=['dvipdfm', '1', '-o', '2', "'/tmp/foo;$(touch", "boom);bar'"]) In [78]: In addition, it seems to be clever to using absolute file paths instead in order to prevent a file named '-D foo' sneaking in. Because the g_shell_quote wouldn't prevent dvipdfm being called with a file name '-D foo' which then might cause the trouble mentioned above. NB: g_spawn_command_line_sync does not seem to actually go through /bin/sh like a system() call would. Instead it seems to set up its own argv and calls execve.
is present in all sle11 and sle12 evinces.
Adrien - can you take this one.
(In reply to Scott Reeves from comment #3) > Adrien - can you take this one. I'm on it.
your submission was rejected, can you please submit each codestream in a individual request? Thank you
(In reply to Johannes Segitz from comment #6) > your submission was rejected, can you please submit each codestream in a > individual request? Thank you Mike - can you resubmit this. See the comments on the original submission.
SUSE-SU-2018:0639-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): evince-2.28.2-0.7.3.1 SUSE Linux Enterprise Server 11-SP4 (src): evince-2.28.2-0.7.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): evince-2.28.2-0.7.3.1
SUSE-SU-2018:0947-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Server 12-SP3 (src): evince-3.20.2-6.22.9 SUSE Linux Enterprise Desktop 12-SP3 (src): evince-3.20.2-6.22.9
release for Leap 42.3, closing as done
openSUSE-SU-2018:0960-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1070046 CVE References: CVE-2017-1000159 Sources used: openSUSE Leap 42.3 (src): evince-3.20.2-9.1