Nacionalni CERT

Sigurnosni nedostatak programskog paketa evince

<p>==========================================================================<br />Ubuntu Security Notice USN-3351-1<br />July 13, 2017<br /><br />evince vulnerability<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 17.04<br />- Ubuntu 16.10<br />- Ubuntu 16.04 LTS<br />- Ubuntu 14.04 LTS<br /><br />Summary:<br /><br />Evince could be made run programs as your login if it opened a<br />specially crafted file.<br /><br />Software Description:<br />- evince: Document viewer<br /><br />Details:<br /><br />Felix Wilhelm discovered that Evince did not safely invoke tar when<br />handling tar comic book (cbt) files. An attacker could use this to<br />construct a malicious cbt comic book format file that, when opened<br />in Evince, executes arbitrary code. Please note that this update<br />disables support for cbt files in Evince.<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 17.04:<br /> evince 3.24.0-0ubuntu1.1<br /> evince-common 3.24.0-0ubuntu1.1<br /><br />Ubuntu 16.10:<br /> evince 3.22.0-0ubuntu1.1<br /> evince-common 3.22.0-0ubuntu1.1<br /><br />Ubuntu 16.04 LTS:<br /> evince 3.18.2-1ubuntu4.1<br /> evince-common 3.18.2-1ubuntu4.1<br /><br />Ubuntu 14.04 LTS:<br /> evince 3.10.3-0ubuntu10.3<br /> evince-common 3.10.3-0ubuntu10.3<br /><br />In general, a standard system update will make all the necessary changes.<br /><br />References:<br /> https://www.ubuntu.com/usn/usn-3351-1<br /> CVE-2017-1000083<br /><br />Package Information:<br /> https://launchpad.net/ubuntu/+source/evince/3.24.0-0ubuntu1.1<br /> https://launchpad.net/ubuntu/+source/evince/3.22.0-0ubuntu1.1<br /> https://launchpad.net/ubuntu/+source/evince/3.18.2-1ubuntu4.1<br /> https://launchpad.net/ubuntu/+source/evince/3.10.3-0ubuntu10.3<br /><br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iQIcBAEBCgAGBQJZZ60fAAoJEC8Jno0AXoH0VwkP/jZ56vc2m6dSZEF3ZIjJtT3G<br />++xEOJ3+THK6+OSAmMswJtzmewBTsYYvnqv0fmXFJGwgUcmfrUV8QeePpj0s/eJk<br />BOSPgv082DFxtgwP6uSj3oR5bNOn34op3TPwiZONloe6PgNEbxskB3P2sCZEME+5<br />XtQIMMVEl9Wkob9KMEofKQDAovcsKEr1d9yiJdKuc1Ob1s4qid+kEsErVe/8koiH<br />/Sxzwgja3PrLjeeqU0Z6n5uXKxH72REaPl6jHeIDWmhbIoUEXwggCnobA6ItEJ+K<br />QTSV8LX5377sd5JN8kRygCUUhhxGStWtBhTn6GaAqUV8eAZsIrgWWRAR0qTNeb0o<br />ULV+hDv5M5Ro0pK91aeXbtAM1uVwmbFNfmtZZl4qzsB99yrdouoFtKbCNhyRrAjb<br />q5n4q05oboJPj9KDGW37un0uSFr6xutyzYk+5kEWJbEcReGwk0wkq7GGJnaysknq<br />DVZRu99aHntXPZRteabUEiLh1A1TLO17WLw3P0Dm6zUfxLBMN8xXjVQPq1qdoXu9<br />KXh1qzm9/gjwoqITT4Pbk9hF1rZltTckxPYvuIr4ySFmBkNorJ9DJFdk0jLIuBIR<br />qDNk/qdvJ/twyLMFXNRsIQb29YARbPLlb8QyQXUJqwT9+RoS/6XbqQBOr50VEWzA<br />IMq/qzV52uZMptZL+gMA<br />=nriD<br />-----END PGP SIGNATURE-----<br />--</p>
Otkriven je sigurnosni nedostatak u programskom paketu evince za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda. Savjetuje se ažuriranje izdanim zakrpama.