group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1735418] Re: [CVE] Command injection with cbt files

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1735418@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Mar 2018 18:02:05 -0000
Reply-to: Bug 1735418 <1735418@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package atril - 1.12.2-1ubuntu0.2

---------------
atril (1.12.2-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Command injection with cbt files (LP: #1735418).
    - fix-CVE-2017-1000083.patch
    - CVE-2017-1000083

 -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Sun, 18 Mar 2018 23:41:35 -0500

** Changed in: atril (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1735418

Title:
  [CVE] Command injection with cbt files

Status in atril package in Ubuntu:
  Fix Released
Status in atril source package in Xenial:
  Fix Released
Status in atril source package in Artful:
  Fix Released
Status in atril source package in Bionic:
  Fix Released

Bug description:
  backend/comics/comics-document.c (aka the comic book backend) in GNOME
  Evince before 3.24.1 allows remote attackers to execute arbitrary commands
  via a .cbt file that is a TAR archive containing a filename beginning with
  a "--" command-line option substring, as demonstrated by a
  --checkpoint-action=exec=bash at the beginning of the filename.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418/+subscriptions