group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1759069] [NEW] [CVE] Arbitrary command injection via DVI filename injection when printing to PDF

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <tsimonq2@xxxxxxxxxx>
Date: Mon, 26 Mar 2018 22:49:36 -0000
Reply-to: Bug 1759069 <1759069@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Command injection in Evince via filename when printing to PDF is
possible. This also affects Atril, which is a fork of Evince.

Here's the patch in Atril: https://github.com/mate-
desktop/atril/commit/4650fb05e46e144be986a11a666a47add39b3799

** Affects: atril (Ubuntu)
     Importance: Medium
         Status: Fix Released

** Affects: atril (Ubuntu Xenial)
     Importance: Medium
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Affects: atril (Ubuntu Artful)
     Importance: Medium
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Also affects: atril (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: atril (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: atril (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: atril (Ubuntu Artful)
       Status: New => In Progress

** Changed in: atril (Ubuntu)
   Importance: Undecided => Medium

** Changed in: atril (Ubuntu)
       Status: New => Fix Released

** Changed in: atril (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: atril (Ubuntu Artful)
   Importance: Undecided => Medium

** Changed in: atril (Ubuntu Xenial)
     Assignee: (unassigned) => Simon Quigley (tsimonq2)

** Changed in: atril (Ubuntu Artful)
     Assignee: (unassigned) => Simon Quigley (tsimonq2)

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000159

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1759069

Title:
  [CVE] Arbitrary command injection via DVI filename injection when
  printing to PDF

Status in atril package in Ubuntu:
  Fix Released
Status in atril source package in Xenial:
  In Progress
Status in atril source package in Artful:
  In Progress

Bug description:
  Command injection in Evince via filename when printing to PDF is
  possible. This also affects Atril, which is a fork of Evince.

  Here's the patch in Atril: https://github.com/mate-
  desktop/atril/commit/4650fb05e46e144be986a11a666a47add39b3799

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1759069/+subscriptions

Follow ups

[Bug 1759069] Re: [CVE] Arbitrary command injection via DVI filename injection when printing to PDF
From: Launchpad Bug Tracker, 2018-03-28
[Bug 1759069] Re: [CVE] Arbitrary command injection via DVI filename injection when printing to PDF
From: Launchpad Bug Tracker, 2018-03-28