[Bug 220713] security/vuxml: Document security vulnerability in evince and atril (CVE-2017-1000083)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220713

            Bug ID: 220713
           Summary: security/vuxml: Document security vulnerability in
                    evince and atril (CVE-2017-1000083)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://bugzilla.gnome.org/show_bug.cgi?id=784630
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam at FreeBSD.org
          Reporter: vlad-fbsd at acheronmedia.com
                CC: gnome at FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam at FreeBSD.org)
          Assignee: ports-secteam at FreeBSD.org

Created attachment 184333
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=184333&action=edit
Document CVE-2017-1000083 (evince)

The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a
command injection bug that can be used to execute arbitrary commands when a cbt
file is opened.

The evince port in FreeBSD builds with Comic book archives support enabled by
default (COMICS=on).

* Upstream bug report with details:

  https://bugzilla.gnome.org/show_bug.cgi?id=784630

While the report itself only mentions version 3.24.0, the patch has been
backported to earlier versions, and Debian has issued a DSA for all its
supported versions, so I'm assuming everything up to and including 3.24.0 is
vulnerable to this:

* https://security-tracker.debian.org/tracker/CVE-2017-1000083

Also affected is graphics/atril, fork of Evince for MATE desktop, I'm assuming
up to and including 1.19.0:

* https://github.com/mate-desktop/atril/issues/257

Attached is a patch for vuxml.

-- 
You are receiving this mail because:
You are the assignee for the bug.