Ubuntu
atril package

[CVE] Arbitrary command injection via DVI filename injection when printing to PDF

Bug #1759069 reported by Simon Quigley
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
atril (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Simon Quigley
Artful
Fix Released
Medium
Simon Quigley

Bug Description

Command injection in Evince via filename when printing to PDF is possible. This also affects Atril, which is a fork of Evince.

Here's the patch in Atril: https://github.com/mate-desktop/atril/commit/4650fb05e46e144be986a11a666a47add39b3799

CVE References

Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Xenial):
status: New → In Progress
Changed in atril (Ubuntu Artful):
status: New → In Progress
Changed in atril (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
Changed in atril (Ubuntu Xenial):
importance: Undecided → Medium
Changed in atril (Ubuntu Artful):
importance: Undecided → Medium
Changed in atril (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in atril (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I have uploaded these fixes (for Xenial and Artful) to a fresh test PPA of mine with all architectures switched on and only the security repo enabled. I then tested both in VMs of each release, and they work as intended. It also fixes the security issue.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8884466/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8884503/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Martin, how do these fixes look?

Revision history for this message
Martin Wimpress  (flexiondotorg) wrote :

Thanks for working on this Simon. I've tested both the patched packages and they work as expected.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Excellent, thank you.

Security team, please review/sponsor these fixes to go into Ubuntu.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package atril - 1.12.2-1ubuntu0.3

---------------
atril (1.12.2-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command injection via DVI filename injection
    when printing to PDF (LP: #1759069).
    - fix-CVE-2017-1000159.patch
    - CVE-2017-1000159

 -- Simon Quigley <email address hidden> Mon, 26 Mar 2018 18:29:46 -0500

Changed in atril (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package atril - 1.18.1-1ubuntu0.1

---------------
atril (1.18.1-1ubuntu0.1) artful-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command injection via DVI filename injection
    when printing to PDF (LP: #1759069).
    - fix-CVE-2017-1000159.patch
    - CVE-2017-1000159

 -- Simon Quigley <email address hidden> Mon, 26 Mar 2018 18:35:16 -0500

Changed in atril (Ubuntu Artful):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.