diff options
Diffstat (limited to 'app-text/evince/files/3.24.2-CVE-2017-1000159.patch')
-rw-r--r-- | app-text/evince/files/3.24.2-CVE-2017-1000159.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/app-text/evince/files/3.24.2-CVE-2017-1000159.patch b/app-text/evince/files/3.24.2-CVE-2017-1000159.patch new file mode 100644 index 000000000000..80861fdc4dea --- /dev/null +++ b/app-text/evince/files/3.24.2-CVE-2017-1000159.patch @@ -0,0 +1,42 @@ +From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001 +From: Tobias Mueller <muelli@cryptobitch.de> +Date: Fri, 14 Jul 2017 12:52:14 +0200 +Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename + +With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. +It exports to PDF via the dvipdfm tool. +It calls that tool with the filename of the currently loaded document. +If that filename is cleverly crafted, it can escape the currently +used manual quoting of the filename. Instead of manually quoting the +filename, we use g_shell_quote. + +https://bugzilla.gnome.org/show_bug.cgi?id=784947 +--- + backend/dvi/dvi-document.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c +index 4a896e21..28877700 100644 +--- a/backend/dvi/dvi-document.c ++++ b/backend/dvi/dvi-document.c +@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter) + gboolean success; + + DviDocument *dvi_document = DVI_DOCUMENT(exporter); ++ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); + +- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ ++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + dvi_document->exporter_opts->str, + dvi_document->exporter_filename, +- dvi_document->context->filename); +- ++ quoted_filename); ++ g_free (quoted_filename); ++ + success = g_spawn_command_line_sync (command_line, + NULL, + NULL, +-- +2.17.0 + |