Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMart Raudsepp <leio@gentoo.org>2017-07-13 20:42:47 +0300
committerMart Raudsepp <leio@gentoo.org>2017-07-13 20:42:47 +0300
commit25ad9706a5046f3b3373762ba457772daa3af80d (patch)
tree45a2e4e2f4df95e0499f6a7877444d1213fd8baa
parentdev-java/relaxng-datatype: keyword ~arm64 (diff)
downloadgentoo-25ad9706a5046f3b3373762ba457772daa3af80d.tar.gz
gentoo-25ad9706a5046f3b3373762ba457772daa3af80d.tar.bz2
gentoo-25ad9706a5046f3b3373762ba457772daa3af80d.zip
app-text/evince: remove support for tar-like compressed comics files (CBT) for security
The support for tar compressed comics files will come back in a future version via libarchive. Until then this is disabled due to security issue CVE-2017-1000083. Other comics formats should still work. Gentoo-bug: 624876 Package-Manager: Portage-2.3.5, Repoman-2.3.2
Diffstat
-rw-r--r--app-text/evince/evince-3.22.1-r1.ebuild102
-rw-r--r--app-text/evince/files/3.22.1-CVE-2017-1000083.patch130
2 files changed, 232 insertions, 0 deletions
diff --git a/app-text/evince/evince-3.22.1-r1.ebuild b/app-text/evince/evince-3.22.1-r1.ebuild
new file mode 100644
index 000000000000..862b8c1b9f19
--- /dev/null
+++ b/app-text/evince/evince-3.22.1-r1.ebuild
@@ -0,0 +1,102 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+GNOME2_LA_PUNT="yes"
+
+inherit gnome2 systemd
+
+DESCRIPTION="Simple document viewer for GNOME"
+HOMEPAGE="https://wiki.gnome.org/Apps/Evince"
+
+LICENSE="GPL-2+ CC-BY-SA-3.0"
+# subslot = evd3.(suffix of libevdocument3)-evv3.(suffix of libevview3)
+SLOT="0/evd3.4-evv3.3"
+IUSE="djvu dvi gstreamer gnome gnome-keyring +introspection nautilus nsplugin +postscript t1lib tiff xps"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x64-solaris"
+
+# atk used in libview
+# gdk-pixbuf used all over the place
+COMMON_DEPEND="
+ dev-libs/atk
+ >=dev-libs/glib-2.36:2[dbus]
+ >=dev-libs/libxml2-2.5:2
+ sys-libs/zlib:=
+ x11-libs/gdk-pixbuf:2
+ >=x11-libs/gtk+-3.16.0:3[introspection?]
+ gnome-base/gsettings-desktop-schemas
+ >=x11-libs/cairo-1.10:=
+ >=app-text/poppler-0.33[cairo]
+ djvu? ( >=app-text/djvu-3.5.22:= )
+ dvi? (
+ virtual/tex-base
+ dev-libs/kpathsea:=
+ t1lib? ( >=media-libs/t1lib-5:= ) )
+ gstreamer? (
+ media-libs/gstreamer:1.0
+ media-libs/gst-plugins-base:1.0
+ media-libs/gst-plugins-good:1.0 )
+ gnome? ( gnome-base/gnome-desktop:3= )
+ gnome-keyring? ( >=app-crypt/libsecret-0.5 )
+ introspection? ( >=dev-libs/gobject-introspection-1:= )
+ nautilus? ( >=gnome-base/nautilus-2.91.4[introspection?] )
+ postscript? ( >=app-text/libspectre-0.2:= )
+ tiff? ( >=media-libs/tiff-3.6:0= )
+ xps? ( >=app-text/libgxps-0.2.1:= )
+"
+RDEPEND="${COMMON_DEPEND}
+ gnome-base/gvfs
+ gnome-base/librsvg
+ || (
+ >=x11-themes/adwaita-icon-theme-2.17.1
+ >=x11-themes/hicolor-icon-theme-0.10 )
+"
+DEPEND="${COMMON_DEPEND}
+ app-text/docbook-xml-dtd:4.3
+ app-text/yelp-tools
+ dev-util/gdbus-codegen
+ >=dev-util/gtk-doc-am-1.13
+ >=dev-util/intltool-0.35
+ dev-util/itstool
+ sys-devel/gettext
+ virtual/pkgconfig
+"
+# eautoreconf needs:
+# app-text/yelp-tools
+
+PATCHES=(
+ "${FILESDIR}"/${PV}-CVE-2017-1000083.patch
+)
+
+src_prepare() {
+ gnome2_src_prepare
+
+ # Do not depend on adwaita-icon-theme, bug #326855, #391859
+ # https://bugs.freedesktop.org/show_bug.cgi?id=29942
+ sed -e 's/adwaita-icon-theme >= $ADWAITA_ICON_THEME_REQUIRED//g' \
+ -i configure || die "sed failed"
+}
+
+src_configure() {
+ gnome2_src_configure \
+ --disable-static \
+ --enable-pdf \
+ --enable-comics \
+ --enable-thumbnailer \
+ --with-platform=gnome \
+ --enable-dbus \
+ $(use_enable djvu) \
+ $(use_enable dvi) \
+ $(use_enable gstreamer multimedia) \
+ $(use_enable gnome libgnome-desktop) \
+ $(use_with gnome-keyring keyring) \
+ $(use_enable introspection) \
+ $(use_enable nautilus) \
+ $(use_enable nsplugin browser-plugin) \
+ $(use_enable postscript ps) \
+ $(use_enable t1lib) \
+ $(use_enable tiff) \
+ $(use_enable xps) \
+ BROWSER_PLUGIN_DIR="${EPREFIX}"/usr/$(get_libdir)/nsbrowser/plugins \
+ --with-systemduserunitdir="$(systemd_get_userunitdir)"
+}
diff --git a/app-text/evince/files/3.22.1-CVE-2017-1000083.patch b/app-text/evince/files/3.22.1-CVE-2017-1000083.patch
new file mode 100644
index 000000000000..9164c618145a
--- /dev/null
+++ b/app-text/evince/files/3.22.1-CVE-2017-1000083.patch
@@ -0,0 +1,130 @@
+From: Bastien Nocera
+Date: Thu, 6 Jul 2017 20:02:00 +0200
+Subject: comics: Remove support for tar and tar-like commands
+
+When handling tar files, or using a command with tar-compatible syntax,
+to open comic-book archives, both the archive name (the name of the
+comics file) and the filename (the name of a page within the archive)
+are quoted to not be interpreted by the shell.
+
+But the filename is completely with the attacker's control and can start
+with "--" which leads to tar interpreting it as a command line flag.
+
+This can be exploited by creating a CBT file (a tar archive with the
+.cbt suffix) with an embedded file named something like this:
+"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
+
+CBT files are infinitely rare (CBZ is usually used for DRM-free
+commercial releases, CBR for those from more dubious provenance), so
+removing support is the easiest way to avoid the bug triggering. All
+this code was rewritten in the development release for GNOME 3.26 to not
+shell out to any command, closing off this particular attack vector.
+
+This also removes the ability to use libarchive's bsdtar-compatible
+binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
+are already supported by unzip and 7zip respectively. libarchive's RAR
+support is limited, so unrar is a requirement anyway.
+
+Discovered by Felix Wilhelm from the Google Security Team.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784630
+---
+ backend/comics/comics-document.c | 40 +---------------------------------------
+ configure.ac | 2 +-
+ 2 files changed, 2 insertions(+), 40 deletions(-)
+
+diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c
+index 96ed26e..3af119a 100644
+--- a/backend/comics/comics-document.c
++++ b/backend/comics/comics-document.c
+@@ -56,8 +56,7 @@ typedef enum
+ RARLABS,
+ GNAUNRAR,
+ UNZIP,
+- P7ZIP,
+- TAR
++ P7ZIP
+ } ComicBookDecompressType;
+
+ typedef struct _ComicsDocumentClass ComicsDocumentClass;
+@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = {
+
+ /* 7zip */
+ {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
+-
+- /* tar */
+- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET}
+ };
+
+ static GSList* get_supported_image_extensions (void);
+@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = GNAUNRAR;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+-
+ } else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
+ g_content_type_is_a (mime_type, "application/zip")) {
+ /* InfoZIP's unzip program */
+@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = P7ZIP;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+
+ } else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
+ g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
+@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type,
+ comics_document->command_usage = P7ZIP;
+ return TRUE;
+ }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+- } else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
+- g_content_type_is_a (mime_type, "application/x-tar")) {
+- /* tar utility (Tape ARchive) */
+- comics_document->selected_command =
+- g_find_program_in_path ("tar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+- comics_document->selected_command =
+- g_find_program_in_path ("bsdtar");
+- if (comics_document->selected_command) {
+- comics_document->command_usage = TAR;
+- return TRUE;
+- }
+ } else {
+ g_set_error (error,
+ EV_DOCUMENT_ERROR,
+diff --git a/configure.ac b/configure.ac
+index 36e866a..26a1a7d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES)
+ AC_SUBST(APPDATA_TIFF_MIME_TYPES)
+ AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES)
+ if test "x$enable_comics" = "xyes"; then
+- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt"
++ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;"
+ APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g')
+ if test -z "$EVINCE_MIME_TYPES"; then
+ EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}"
+--
+cgit v0.12
+