commit: 25ad9706a5046f3b3373762ba457772daa3af80d Author: Mart Raudsepp <leio <AT> gentoo <DOT> org> AuthorDate: Thu Jul 13 17:42:47 2017 +0000 Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org> CommitDate: Thu Jul 13 17:42:47 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25ad9706
app-text/evince: remove support for tar-like compressed comics files (CBT) for security The support for tar compressed comics files will come back in a future version via libarchive. Until then this is disabled due to security issue CVE-2017-1000083. Other comics formats should still work. Gentoo-bug: 624876 Package-Manager: Portage-2.3.5, Repoman-2.3.2 app-text/evince/evince-3.22.1-r1.ebuild | 102 ++++++++++++++++ .../evince/files/3.22.1-CVE-2017-1000083.patch | 130 +++++++++++++++++++++ 2 files changed, 232 insertions(+) diff --git a/app-text/evince/evince-3.22.1-r1.ebuild b/app-text/evince/evince-3.22.1-r1.ebuild new file mode 100644 index 00000000000..862b8c1b9f1 --- /dev/null +++ b/app-text/evince/evince-3.22.1-r1.ebuild @@ -0,0 +1,102 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +GNOME2_LA_PUNT="yes" + +inherit gnome2 systemd + +DESCRIPTION="Simple document viewer for GNOME" +HOMEPAGE="https://wiki.gnome.org/Apps/Evince"; + +LICENSE="GPL-2+ CC-BY-SA-3.0" +# subslot = evd3.(suffix of libevdocument3)-evv3.(suffix of libevview3) +SLOT="0/evd3.4-evv3.3" +IUSE="djvu dvi gstreamer gnome gnome-keyring +introspection nautilus nsplugin +postscript t1lib tiff xps" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x64-solaris" + +# atk used in libview +# gdk-pixbuf used all over the place +COMMON_DEPEND=" + dev-libs/atk + >=dev-libs/glib-2.36:2[dbus] + >=dev-libs/libxml2-2.5:2 + sys-libs/zlib:= + x11-libs/gdk-pixbuf:2 + >=x11-libs/gtk+-3.16.0:3[introspection?] + gnome-base/gsettings-desktop-schemas + >=x11-libs/cairo-1.10:= + >=app-text/poppler-0.33[cairo] + djvu? ( >=app-text/djvu-3.5.22:= ) + dvi? ( + virtual/tex-base + dev-libs/kpathsea:= + t1lib? ( >=media-libs/t1lib-5:= ) ) + gstreamer? ( + media-libs/gstreamer:1.0 + media-libs/gst-plugins-base:1.0 + media-libs/gst-plugins-good:1.0 ) + gnome? ( gnome-base/gnome-desktop:3= ) + gnome-keyring? ( >=app-crypt/libsecret-0.5 ) + introspection? ( >=dev-libs/gobject-introspection-1:= ) + nautilus? ( >=gnome-base/nautilus-2.91.4[introspection?] ) + postscript? ( >=app-text/libspectre-0.2:= ) + tiff? ( >=media-libs/tiff-3.6:0= ) + xps? ( >=app-text/libgxps-0.2.1:= ) +" +RDEPEND="${COMMON_DEPEND} + gnome-base/gvfs + gnome-base/librsvg + || ( + >=x11-themes/adwaita-icon-theme-2.17.1 + >=x11-themes/hicolor-icon-theme-0.10 ) +" +DEPEND="${COMMON_DEPEND} + app-text/docbook-xml-dtd:4.3 + app-text/yelp-tools + dev-util/gdbus-codegen + >=dev-util/gtk-doc-am-1.13 + >=dev-util/intltool-0.35 + dev-util/itstool + sys-devel/gettext + virtual/pkgconfig +" +# eautoreconf needs: +# app-text/yelp-tools + +PATCHES=( + "${FILESDIR}"/${PV}-CVE-2017-1000083.patch +) + +src_prepare() { + gnome2_src_prepare + + # Do not depend on adwaita-icon-theme, bug #326855, #391859 + # https://bugs.freedesktop.org/show_bug.cgi?id=29942 + sed -e 's/adwaita-icon-theme >= $ADWAITA_ICON_THEME_REQUIRED//g' \ + -i configure || die "sed failed" +} + +src_configure() { + gnome2_src_configure \ + --disable-static \ + --enable-pdf \ + --enable-comics \ + --enable-thumbnailer \ + --with-platform=gnome \ + --enable-dbus \ + $(use_enable djvu) \ + $(use_enable dvi) \ + $(use_enable gstreamer multimedia) \ + $(use_enable gnome libgnome-desktop) \ + $(use_with gnome-keyring keyring) \ + $(use_enable introspection) \ + $(use_enable nautilus) \ + $(use_enable nsplugin browser-plugin) \ + $(use_enable postscript ps) \ + $(use_enable t1lib) \ + $(use_enable tiff) \ + $(use_enable xps) \ + BROWSER_PLUGIN_DIR="${EPREFIX}"/usr/$(get_libdir)/nsbrowser/plugins \ + --with-systemduserunitdir="$(systemd_get_userunitdir)" +} diff --git a/app-text/evince/files/3.22.1-CVE-2017-1000083.patch b/app-text/evince/files/3.22.1-CVE-2017-1000083.patch new file mode 100644 index 00000000000..9164c618145 --- /dev/null +++ b/app-text/evince/files/3.22.1-CVE-2017-1000083.patch @@ -0,0 +1,130 @@ +From: Bastien Nocera +Date: Thu, 6 Jul 2017 20:02:00 +0200 +Subject: comics: Remove support for tar and tar-like commands + +When handling tar files, or using a command with tar-compatible syntax, +to open comic-book archives, both the archive name (the name of the +comics file) and the filename (the name of a page within the archive) +are quoted to not be interpreted by the shell. + +But the filename is completely with the attacker's control and can start +with "--" which leads to tar interpreting it as a command line flag. + +This can be exploited by creating a CBT file (a tar archive with the +.cbt suffix) with an embedded file named something like this: +"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" + +CBT files are infinitely rare (CBZ is usually used for DRM-free +commercial releases, CBR for those from more dubious provenance), so +removing support is the easiest way to avoid the bug triggering. All +this code was rewritten in the development release for GNOME 3.26 to not +shell out to any command, closing off this particular attack vector. + +This also removes the ability to use libarchive's bsdtar-compatible +binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two +are already supported by unzip and 7zip respectively. libarchive's RAR +support is limited, so unrar is a requirement anyway. + +Discovered by Felix Wilhelm from the Google Security Team. + +https://bugzilla.gnome.org/show_bug.cgi?id=784630 +--- + backend/comics/comics-document.c | 40 +--------------------------------------- + configure.ac | 2 +- + 2 files changed, 2 insertions(+), 40 deletions(-) + +diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c +index 96ed26e..3af119a 100644 +--- a/backend/comics/comics-document.c ++++ b/backend/comics/comics-document.c +@@ -56,8 +56,7 @@ typedef enum + RARLABS, + GNAUNRAR, + UNZIP, +- P7ZIP, +- TAR ++ P7ZIP + } ComicBookDecompressType; + + typedef struct _ComicsDocumentClass ComicsDocumentClass; +@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = { + + /* 7zip */ + {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z}, +- +- /* tar */ +- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET} + }; + + static GSList* get_supported_image_extensions (void); +@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = GNAUNRAR; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- + } else if (g_content_type_is_a (mime_type, "application/x-cbz") || + g_content_type_is_a (mime_type, "application/zip")) { + /* InfoZIP's unzip program */ +@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + + } else if (g_content_type_is_a (mime_type, "application/x-cb7") || + g_content_type_is_a (mime_type, "application/x-7z-compressed")) { +@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- } else if (g_content_type_is_a (mime_type, "application/x-cbt") || +- g_content_type_is_a (mime_type, "application/x-tar")) { +- /* tar utility (Tape ARchive) */ +- comics_document->selected_command = +- g_find_program_in_path ("tar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + } else { + g_set_error (error, + EV_DOCUMENT_ERROR, +diff --git a/configure.ac b/configure.ac +index 36e866a..26a1a7d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES) + AC_SUBST(APPDATA_TIFF_MIME_TYPES) + AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES) + if test "x$enable_comics" = "xyes"; then +- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt" ++ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;" + APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g') + if test -z "$EVINCE_MIME_TYPES"; then + EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}" +-- +cgit v0.12 +
