Pullup ticket #5515 - requested by maya

print/evince3: security fix Revisions pulled up: - print/evince3/Makefile 1.62 - print/evince3/distinfo 1.13 - print/evince3/patches/patch-backend_comics_comics-document.c 1.1 - print/evince3/patches/patch-configure 1.1 - print/evince3/patches/patch-configure.ac 1.1 --- Module Name: pkgsrc Committed By: maya Date: Fri Jul 14 05:31:21 UTC 2017 Modified Files: pkgsrc/print/evince3: Makefile distinfo Added Files: pkgsrc/print/evince3/patches: patch-backend_comics_comics-document.c patch-configure patch-configure.ac Log Message: Patch CVE-2017-1000083 From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001 From: Bastien Nocera <hadess@hadess.net> Date: Thu, 6 Jul 2017 20:02:00 +0200 Subject: [PATCH] comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team. https://bugzilla.gnome.org/show_bug.cgi?id=784630 Bump PKGREVISION
author: bsiegert <bsiegert@pkgsrc.org> 2017-07-16 08:36:06 +0000
committer: bsiegert <bsiegert@pkgsrc.org> 2017-07-16 08:36:06 +0000
commit: 4ff09ce77f281bb3ed25ddecececaadfea1c2dc4 (patch)
tree: e4c3fc02a04c5770adf80f89ccb39d0a38ca6e3e
parent: c99bfe8b8e7f51df5fbff254aea2631de44beee8 (diff)
download: pkgsrc-4ff09ce77f281bb3ed25ddecececaadfea1c2dc4.tar.gz
5 files changed, 149 insertions, 3 deletions
diff --git a/print/evince3/Makefile b/print/evince3/Makefile
index 3098b2d1d64..86ecec5561b 100644
--- a/print/evince3/Makefile
+++ b/print/evince3/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.61 2017/05/29 11:09:46 jperkin Exp $
+# $NetBSD: Makefile,v 1.61.2.1 2017/07/16 08:36:06 bsiegert Exp $
 
-PKGREVISION= 5
+PKGREVISION= 6
 .include "../../print/evince3/Makefile.common"
 
 COMMENT=		Document viewer
diff --git a/print/evince3/distinfo b/print/evince3/distinfo
index a4b087c9ebd..b87f82d0625 100644
--- a/print/evince3/distinfo
+++ b/print/evince3/distinfo
@@ -1,6 +1,9 @@
-$NetBSD: distinfo,v 1.12 2016/11/26 12:44:05 prlw1 Exp $
+$NetBSD: distinfo,v 1.12.6.1 2017/07/16 08:36:06 bsiegert Exp $
 
 SHA1 (evince-3.22.1.tar.xz) = 7b24678035c50c4ccaf76bdd64e228b1c1912d4b
 RMD160 (evince-3.22.1.tar.xz) = e2c5b03a59ec7a7d50b6c34d1aafed4d419fc8a5
 SHA512 (evince-3.22.1.tar.xz) = c36a90bf98f25b4f9f05536f1a09c38be30b814529e17a4ab159ba7c1e952402a211f335d4cdf1928ace8a5b46d6d019fbbd457ce11c2ffa264d8bb7c32d5a18
 Size (evince-3.22.1.tar.xz) = 3365004 bytes
+SHA1 (patch-backend_comics_comics-document.c) = e02d70eb1923aeddf5e372609530707fc335bfb1
+SHA1 (patch-configure) = 23027902cc959891ad4befb49d9fec46ebe0803e
+SHA1 (patch-configure.ac) = 7805a17177a5253f779b7160d8abd4f5d1dbab97
diff --git a/print/evince3/patches/patch-backend_comics_comics-document.c b/print/evince3/patches/patch-backend_comics_comics-document.c
new file mode 100644
index 00000000000..a8213d9b695
--- /dev/null
+++ b/print/evince3/patches/patch-backend_comics_comics-document.c
@@ -0,0 +1,110 @@
+$NetBSD: patch-backend_comics_comics-document.c,v 1.1.2.2 2017/07/16 08:36:06 bsiegert Exp $
+
+comics: Remove support for tar and tar-like commands
+From https://bugzilla.gnome.org/show_bug.cgi?id=784630
+
+CVE-2017-1000083.
+
+
+When handling tar files, or using a command with tar-compatible syntax,
+to open comic-book archives, both the archive name (the name of the
+comics file) and the filename (the name of a page within the archive)
+are quoted to not be interpreted by the shell.
+
+But the filename is completely with the attacker's control and can start
+with "--" which leads to tar interpreting it as a command line flag.
+
+This can be exploited by creating a CBT file (a tar archive with the
+.cbt suffix) with an embedded file named something like this:
+"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
+
+CBT files are infinitely rare (CBZ is usually used for DRM-free
+commercial releases, CBR for those from more dubious provenance), so
+removing support is the easiest way to avoid the bug triggering. All
+this code was rewritten in the development release for GNOME 3.26 to not
+shell out to any command, closing off this particular attack vector.
+
+This also removes the ability to use libarchive's bsdtar-compatible
+binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
+are already supported by unzip and 7zip respectively. libarchive's RAR
+support is limited, so unrar is a requirement anyway.
+
+Discovered by Felix Wilhelm from the Google Security Team.
+
+--- backend/comics/comics-document.c.orig	2016-10-12 05:42:04.000000000 +0000
++++ backend/comics/comics-document.c
+@@ -56,8 +56,7 @@ typedef enum
+ 	RARLABS,
+ 	GNAUNRAR,
+ 	UNZIP,
+-	P7ZIP,
+-	TAR
++	P7ZIP
+ } ComicBookDecompressType;
+ 
+ typedef struct _ComicsDocumentClass ComicsDocumentClass;
+@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand 
+ 
+         /* 7zip */
+ 	{NULL               , "%s l -- %s"     , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
+-
+-        /* tar */
+-	{"%s -xOf"          , "%s -tf %s"      , NULL             , FALSE, NO_OFFSET}
+ };
+ 
+ static GSList*    get_supported_image_extensions (void);
+@@ -364,13 +360,6 @@ comics_check_decompress_command	(gchar  
+ 			comics_document->command_usage = GNAUNRAR;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
+ 		   g_content_type_is_a (mime_type, "application/zip")) {
+ 		/* InfoZIP's unzip program */
+@@ -396,12 +385,6 @@ comics_check_decompress_command	(gchar  
+ 			comics_document->command_usage = P7ZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 
+ 	} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
+ 		   g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
+@@ -425,27 +408,6 @@ comics_check_decompress_command	(gchar  
+ 			comics_document->command_usage = P7ZIP;
+ 			return TRUE;
+ 		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-	} else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
+-		   g_content_type_is_a (mime_type, "application/x-tar")) {
+-		/* tar utility (Tape ARchive) */
+-		comics_document->selected_command =
+-				g_find_program_in_path ("tar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+-		comics_document->selected_command =
+-				g_find_program_in_path ("bsdtar");
+-		if (comics_document->selected_command) {
+-			comics_document->command_usage = TAR;
+-			return TRUE;
+-		}
+ 	} else {
+ 		g_set_error (error,
+ 			     EV_DOCUMENT_ERROR,
diff --git a/print/evince3/patches/patch-configure b/print/evince3/patches/patch-configure
new file mode 100644
index 00000000000..025a5ec1f63
--- /dev/null
+++ b/print/evince3/patches/patch-configure
@@ -0,0 +1,15 @@
+$NetBSD: patch-configure,v 1.1.2.2 2017/07/16 08:36:06 bsiegert Exp $
+
+Regen
+
+--- configure.orig	2016-10-12 06:03:23.000000000 +0000
++++ configure
+@@ -22338,7 +22326,7 @@ fi
+ 
+ 
+ if test "x$enable_comics" = "xyes"; then
+-        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
++        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
+         APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n    <mimetype>/g')
+         if test -z "$EVINCE_MIME_TYPES"; then
+            EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
diff --git a/print/evince3/patches/patch-configure.ac b/print/evince3/patches/patch-configure.ac
new file mode 100644
index 00000000000..ef47f726237
--- /dev/null
+++ b/print/evince3/patches/patch-configure.ac
@@ -0,0 +1,18 @@
+$NetBSD: patch-configure.ac,v 1.1.2.2 2017/07/16 08:36:06 bsiegert Exp $
+
+comics: Remove support for tar and tar-like commands
+From https://bugzilla.gnome.org/show_bug.cgi?id=784630
+
+CVE-2017-1000083.
+
+--- configure.ac.orig	2016-10-12 05:46:27.000000000 +0000
++++ configure.ac
+@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
+ AC_SUBST(APPDATA_TIFF_MIME_TYPES)
+ AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
+ if test "x$enable_comics" = "xyes"; then
+-        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
++        COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
+         APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n    <mimetype>/g')
+         if test -z "$EVINCE_MIME_TYPES"; then
+            EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
author	bsiegert <bsiegert@pkgsrc.org>	2017-07-16 08:36:06 +0000
committer	bsiegert <bsiegert@pkgsrc.org>	2017-07-16 08:36:06 +0000
commit	4ff09ce77f281bb3ed25ddecececaadfea1c2dc4 (patch)
tree	e4c3fc02a04c5770adf80f89ccb39d0a38ca6e3e
parent	c99bfe8b8e7f51df5fbff254aea2631de44beee8 (diff)
download	pkgsrc-4ff09ce77f281bb3ed25ddecececaadfea1c2dc4.tar.gz