FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

evince and atril -- command injection vulnerability in CBT handler

Affected packages
evince <= 3.24.0
evince-lite <= 3.24.0
atril < 1.18.1
1.19.0 <= atril < 1.19.1
atril-lite < 1.18.1
1.19.0 <= atril-lite < 1.19.1

Details

VuXML ID 01a197ca-67f1-11e7-a266-28924a333806
Discovery 2017-07-06
Entry 2017-07-13

GNOME reports:

The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.

The same vulnerability affects atril, the Evince fork.

References

CVE Name CVE-2017-1000083
URL https://bugzilla.gnome.org/show_bug.cgi?id=784630
URL https://github.com/mate-desktop/atril/issues/257