From 02e685d0a8e5a8cc3db2ce21ea6b425280b357ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Sat, 15 Jul 2017 12:29:40 +0200 Subject: community/evince: security fix for CVE-2017-1000083 --- ...ove-support-for-tar-and-tar-like-commands.patch | 131 +++++++++++++++++++++ community/evince/APKBUILD | 24 +++- 2 files changed, 149 insertions(+), 6 deletions(-) create mode 100644 community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch (limited to 'community/evince') diff --git a/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch b/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch new file mode 100644 index 0000000000..d0f61d9c9e --- /dev/null +++ b/community/evince/0001-comics-Remove-support-for-tar-and-tar-like-commands.patch @@ -0,0 +1,131 @@ +From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Thu, 6 Jul 2017 20:02:00 +0200 +Subject: [PATCH] comics: Remove support for tar and tar-like commands + +When handling tar files, or using a command with tar-compatible syntax, +to open comic-book archives, both the archive name (the name of the +comics file) and the filename (the name of a page within the archive) +are quoted to not be interpreted by the shell. + +But the filename is completely with the attacker's control and can start +with "--" which leads to tar interpreting it as a command line flag. + +This can be exploited by creating a CBT file (a tar archive with the +.cbt suffix) with an embedded file named something like this: +"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" + +CBT files are infinitely rare (CBZ is usually used for DRM-free +commercial releases, CBR for those from more dubious provenance), so +removing support is the easiest way to avoid the bug triggering. All +this code was rewritten in the development release for GNOME 3.26 to not +shell out to any command, closing off this particular attack vector. + +This also removes the ability to use libarchive's bsdtar-compatible +binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two +are already supported by unzip and 7zip respectively. libarchive's RAR +support is limited, so unrar is a requirement anyway. + +Discovered by Felix Wilhelm from the Google Security Team. + +https://bugzilla.gnome.org/show_bug.cgi?id=784630 +--- + backend/comics/comics-document.c | 40 +--------------------------------------- + configure.ac | 2 +- + 2 files changed, 2 insertions(+), 40 deletions(-) + +diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c +index 4c747310..641d7856 100644 +--- a/backend/comics/comics-document.c ++++ b/backend/comics/comics-document.c +@@ -56,8 +56,7 @@ typedef enum + RARLABS, + GNAUNRAR, + UNZIP, +- P7ZIP, +- TAR ++ P7ZIP + } ComicBookDecompressType; + + typedef struct _ComicsDocumentClass ComicsDocumentClass; +@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = { + + /* 7zip */ + {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z}, +- +- /* tar */ +- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET} + }; + + static GSList* get_supported_image_extensions (void); +@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = GNAUNRAR; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- + } else if (g_content_type_is_a (mime_type, "application/x-cbz") || + g_content_type_is_a (mime_type, "application/zip")) { + /* InfoZIP's unzip program */ +@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + + } else if (g_content_type_is_a (mime_type, "application/x-cb7") || + g_content_type_is_a (mime_type, "application/x-7z-compressed")) { +@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- } else if (g_content_type_is_a (mime_type, "application/x-cbt") || +- g_content_type_is_a (mime_type, "application/x-tar")) { +- /* tar utility (Tape ARchive) */ +- comics_document->selected_command = +- g_find_program_in_path ("tar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + } else { + g_set_error (error, + EV_DOCUMENT_ERROR, +diff --git a/configure.ac b/configure.ac +index 9e9f8316..7eb0f1f3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES) + AC_SUBST(APPDATA_TIFF_MIME_TYPES) + AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES) + if test "x$enable_comics" = "xyes"; then +- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt" ++ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;" + APPDATA_COMICS_MIME_TYPES=$(echo "$COMICS_MIME_TYPES" | sed -e 's/;/<\/mimetype>\n /g') + if test -z "$EVINCE_MIME_TYPES"; then + EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}" +-- +2.13.2 + diff --git a/community/evince/APKBUILD b/community/evince/APKBUILD index 76ab548ba5..664cf8bfe6 100644 --- a/community/evince/APKBUILD +++ b/community/evince/APKBUILD @@ -1,8 +1,9 @@ +# Contributor: Sören Tempel # Contributor: William Pitcock # Maintainer: William Pitcock pkgname=evince pkgver=3.24.0 -pkgrel=1 +pkgrel=2 pkgdesc="simple document viewer for GTK+" url="http://projects.gnome.org/evince/" arch="all" @@ -12,12 +13,23 @@ depends_dev="gtk+3.0-dev poppler-dev libsm-dev libevent-dev libxrandr-dev libx11-dev libxcursor-dev libxcomposite-dev libxi-dev util-linux-dev tiff-dev gobject-introspection-dev libxml2-dev" makedepends="$depends_dev intltool itstool gnome-doc-utils - adwaita-icon-theme-dev" + adwaita-icon-theme-dev gnome-common automake autoconf + gtk-doc yelp-tools" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs" -source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz" - +source="http://ftp.gnome.org/pub/GNOME/sources/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz + 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch" builddir="${srcdir}/${pkgname}-${pkgver}" +# secfixes: +# 3.24.0-r2: +# - CVE-2017-1000083 + +prepare() { + default_prepare + cd "$builddir" + NOCONFIGURE=1 ./autogen.sh +} + build() { cd "$builddir" ./configure \ @@ -50,5 +62,5 @@ doc() { fi } - -sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4 evince-3.24.0.tar.xz" +sha512sums="b793c44b2976abe58461adfdb0b1874af8d6bafaf9b80a851d94b776f9d50f6a81774bcb5b35cd59a9ad3afeea9a8b88018aa85d670373c7c2fa9617407a09c4 evince-3.24.0.tar.xz +26251ad90271612ee3fadf0c7a7719fdca6ed1b74f2600751eaba97916d2b44969955a9ad9994f1c97cb79757d3d4f7f76354ce3b04b1340d91598a773fbb130 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch" -- cgit v1.2.3