community/evince: security fix for CVE-2017-1000083

2 files changed, 149 insertions, 6 deletions

diff --git a/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch b/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch
new file mode 100644
index 0000000000..d0f61d9c9e
--- /dev/null
+++ b/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch
@@ -0,0 +1,131 @@
+From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Thu, 6 Jul 2017 20:02:00 +0200
+Subject: [PATCH] comics: Remove support for tar and tar-like commands
+
+When handling tar files, or using a command with tar-compatible syntax,
+to open comic-book archives, both the archive name (the name of the
+comics file) and the filename (the name of a page within the archive)
+are quoted to not be interpreted by the shell.
+
+But the filename is completely with the attacker's control and can start
+with "--" which leads to tar interpreting it as a command line flag.
+
+This can be exploited by creating a CBT file (a tar archive with the
+.cbt suffix) with an embedded file named something like this:
+"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
+
+CBT files are infinitely rare (CBZ is usually used for DRM-free
+commercial releases, CBR for those from more dubious provenance), so
+removing support is the easiest way to avoid the bug triggering. All
+this code was rewritten in the development release for GNOME 3.26 to not
+shell out to any command, closing off this particular attack vector.
+
+This also removes the ability to use libarchive's bsdtar-compatible
+binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
+are already supported by unzip and 7zip respectively. libarchive's RAR
+support is limited, so unrar is a requirement anyway.
+
+Discovered by Felix Wilhelm from the Google Security Team.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784630
+---
+ backend/comics/comics-document.c | 40 +---------------------------------------
+ configure.ac                     |  2 +-
+ 2 files changed, 2 insertions(+), 40 deletions(-)
+
+diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c
+index 4c747310..641d7856 100644
+--- a/backend/comics/comics-document.c
++++ b/backend/comics/comics-document.c
+@@ -56,8 +56,7 @@ typedef enum
+ 	RARLABS,
+ 	GNAUNRAR,
+ 	UNZIP,
+-	P7ZIP,
+-	TAR
++	P7ZIP
+ } ComicBookDecompressType;
+ 
+ typedef struct _ComicsDocumentClass ComicsDocumentClass;
+@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = {
+ 
+         /* 7zip */
+ 	{NULL               , "%s l -- %s"     , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
+-
+-        /* tar */
+-	{"%s -xOf"          , "%s -tf %s"      , NULL             , FALSE, NO_OFFSET}
+ };
+ 
+ static GSList*    get_supported_image_extensions (void);
+@@ -364,13 +360,6 @@ comics_check_decompress_command	(gchar          *mime_type,
+ 			comics_document->command_usage = GNAUNRAR;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
+ 		   g_content_type_is_a (mime_type, "application/zip")) {
+ 		/* InfoZIP's unzip program */
+@@ -396,12 +385,6 @@ comics_check_decompress_command	(gchar          *mime_type,
+ 			comics_document->command_usage = P7ZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
+ 		   g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
+@@ -425,27 +408,6 @@ comics_check_decompress_command	(gchar          *mime_type,
+ 			comics_document->command_usage = P7ZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-	} else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
+-		   g_content_type_is_a (mime_type, "application/x-tar")) {
+-		/* tar utility (Tape ARchive) */
+-		comics_document->selected_command =
+-				g_find_program_in_path ("tar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 	} else {
+ 		g_set_error (error,
+ 			     EV_DOCUMENT_ERROR,
+diff --git a/configure.ac b/configure.ac
+index 9e9f8316..7eb0f1f3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
+ AC_SUBST(APPDATA_TIFF_MIME_TYPES)
+ AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
+ if test "x$enable_comics" = "xyes"; then
+-        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
++        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
+         APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n    <mimetype>/g')
+         if test -z "$EVINCE_MIME_TYPES"; then
+            EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
+-- 
+2.13.2
+
diff --git a/community/evince/APKBUILD b/community/evince/APKBUILD
index 76ab548ba5..664cf8bfe6 100644
--- a/community/evince/APKBUILD
+++ b/community/evince/APKBUILD
@@ -1,8 +1,9 @@
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=evince
 pkgver=3.24.0
-pkgrel=1
+pkgrel=2
 pkgdesc="simple document viewer for GTK+"
 url="http://projects.gnome.org/evince/"
 arch="all"
@@ -12,12 +13,23 @@ depends_dev="gtk+3.0-dev poppler-dev libsm-dev libevent-dev libxrandr-dev
 	libx11-dev libxcursor-dev libxcomposite-dev libxi-dev util-linux-dev
 	tiff-dev gobject-introspection-dev libxml2-dev"
 makedepends="$depends_dev intltool itstool gnome-doc-utils
-	adwaita-icon-theme-dev"
+	adwaita-icon-theme-dev gnome-common automake autoconf
+	gtk-doc yelp-tools"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
-source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz"
-
+source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz
+	0001-comics-Remove-support-for-tar-and-tar-like-commands.patch"
 builddir="${srcdir}/${pkgname}-${pkgver}"
 
+# secfixes:
+#   3.24.0-r2:
+#     - CVE-2017-1000083
+
+prepare() {
+	default_prepare
+	cd "$builddir"
+	NOCONFIGURE=1 ./autogen.sh
+}
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -50,5 +62,5 @@ doc() {
 	fi
 }
 
-
-sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4  evince-3.24.0.tar.xz"
+sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4  evince-3.24.0.tar.xz
+26251ad90271612ee3fadf0c7a7719fdca6ed1b74f2600751eaba97916d2b44969955a9ad9994f1c97cb79757d3d4f7f76354ce3b04b1340d91598a773fbb130  0001-comics-Remove-support-for-tar-and-tar-like-commands.patch"