[atril] 01/01: upload to stretch-security (debian/1.16.1-2+deb9u1)

Mike Gabriel sunweaver at debian.org
Mon Jul 24 09:02:40 UTC 2017 

This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch debian/stretch/updates
in repository atril.

commit 8fe15c209a869064afbd869fc585046756a8bb79
Author: Santiago Ruano Rincón <santiagorr at riseup.net>
Date:   Mon Jul 24 11:02:10 2017 +0200

    upload to stretch-security (debian/1.16.1-2+deb9u1)
---
 debian/changelog                                   |   9 ++
 ...move-support-for-tar-and-tar-like-command.patch | 128 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 138 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 794a673..ed4f7d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+atril (1.16.1-2+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload
+  * Add 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
+    Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083
+    (Closes: #868500)
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net>  Fri, 21 Jul 2017 06:59:09 +0200
+
 atril (1.16.1-2) unstable; urgency=medium
 
   [ Martin Wimpress ]
diff --git a/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch b/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
new file mode 100644
index 0000000..3ae8014
--- /dev/null
+++ b/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
@@ -0,0 +1,128 @@
+Origin: https://bugzilla.gnome.org/show_bug.cgi?id=784630#c5
+Reviewed-by: Santiago R.R. <santiagorr at riseup.net>
+Bug-Debian: http://bugs.debian.org/868500
+
+From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Thu, 6 Jul 2017 20:02:00 +0200
+Subject: [PATCH] comics: Remove support for tar and tar-like commands
+
+When handling tar files, or using a command with tar-compatible syntax,
+to open comic-book archives, both the archive name (the name of the
+comics file) and the filename (the name of a page within the archive)
+are quoted to not be interpreted by the shell.
+
+But the filename is completely with the attacker's control and can start
+with "--" which leads to tar interpreting it as a command line flag.
+
+This can be exploited by creating a CBT file (a tar archive with the
+.cbt suffix) with an embedded file named something like this:
+"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
+
+CBT files are infinitely rare (CBZ is usually used for DRM-free
+commercial releases, CBR for those from more dubious provenance), so
+removing support is the easiest way to avoid the bug triggering. All
+this code was rewritten in the development release for GNOME 3.26 to not
+shell out to any command, closing off this particular attack vector.
+
+This also removes the ability to use libarchive's bsdtar-compatible
+binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
+are already supported by unzip and 7zip respectively. libarchive's RAR
+support is limited, so unrar is a requirement anyway.
+
+Discovered by Felix Wilhelm from the Google Security Team.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784630
+
+-Index: atril-1.16.1/backend/comics/comics-document.c
+===================================================================
+--- atril-1.16.1.orig/backend/comics/comics-document.c
++++ atril-1.16.1/backend/comics/comics-document.c
+@@ -44,8 +44,7 @@ typedef enum
+ 	RARLABS,
+ 	GNAUNRAR,
+ 	UNZIP,
+-	P7ZIP,
+-	TAR
++	P7ZIP
+ } ComicBookDecompressType;
+ 
+ typedef struct _ComicsDocumentClass ComicsDocumentClass;
+@@ -105,9 +104,6 @@ static const ComicBookDecompressCommand
+ 
+         /* 7zip */
+ 	{NULL               , "%s l -- %s"     , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
+-
+-        /* tar */
+-	{"%s -xOf"          , "%s -tf %s"      , NULL             , FALSE, NO_OFFSET}
+ };
+ 
+ static void       comics_document_document_thumbnails_iface_init (EvDocumentThumbnailsInterface *iface);
+@@ -355,13 +351,6 @@ comics_check_decompress_command	(gchar
+ 			comics_document->command_usage = GNAUNRAR;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
+ 		   g_content_type_is_a (mime_type, "application/zip")) {
+ 		/* InfoZIP's unzip program */
+@@ -374,12 +363,6 @@ comics_check_decompress_command	(gchar
+ 			comics_document->command_usage = UNZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
+ 		   g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
+@@ -403,27 +386,6 @@ comics_check_decompress_command	(gchar
+ 			comics_document->command_usage = P7ZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-	} else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
+-		   g_content_type_is_a (mime_type, "application/x-tar")) {
+-		/* tar utility (Tape ARchive) */
+-		comics_document->selected_command =
+-				g_find_program_in_path ("tar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 	} else {
+ 		g_set_error (error,
+ 			     EV_DOCUMENT_ERROR,
+Index: atril-1.16.1/configure.ac
+===================================================================
+--- atril-1.16.1.orig/configure.ac
++++ atril-1.16.1/configure.ac
+@@ -625,7 +625,7 @@ if test "x$enable_tiff" = "xyes"; then
+     ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}image/tiff;"
+ fi
+ if test "x$enable_comics" = "xyes"; then
+-    ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/vnd.comicbook+zip;"
++    ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}application/x-cbr;application/x-cbz;application/x-cb7;application/vnd.comicbook+zip;"
+ fi
+ if test "x$enable_pixbuf" = "xyes"; then
+     ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}image/*;"
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ae1d86d
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mate/atril.git

More information about the pkg-mate-commits mailing list