SciLinux: SLSA-2017-2388-1 Important Evince Command Injection Mitigation

It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince- thumbnailer, could execute arbitrary commands in the context of the evince program. (CVE-2017-1000083) SL7 x86_64 evince-3.22.1-5.2.el7_4.x86_64.rpm evince-debuginfo-3. [More...]

Synopsis:          Important: evince security update
Advisory ID:       SLSA-2017:2388-1
Issue Date:        2017-08-02
CVE Numbers:       CVE-2017-1000083
--

Security Fix(es):

* It was found that evince did not properly sanitize the command line
which is run to untar Comic Book Tar (CBT) files, thereby allowing command
injection. A specially crafted CBT file, when opened by evince or evince-
thumbnailer, could execute arbitrary commands in the context of the evince
program. (CVE-2017-1000083)
--

SL7
  x86_64
    evince-3.22.1-5.2.el7_4.x86_64.rpm
    evince-debuginfo-3.22.1-5.2.el7_4.i686.rpm
    evince-debuginfo-3.22.1-5.2.el7_4.x86_64.rpm
    evince-dvi-3.22.1-5.2.el7_4.x86_64.rpm
    evince-libs-3.22.1-5.2.el7_4.i686.rpm
    evince-libs-3.22.1-5.2.el7_4.x86_64.rpm
    evince-nautilus-3.22.1-5.2.el7_4.x86_64.rpm
    evince-browser-plugin-3.22.1-5.2.el7_4.x86_64.rpm
    evince-devel-3.22.1-5.2.el7_4.i686.rpm
    evince-devel-3.22.1-5.2.el7_4.x86_64.rpm

- Scientific Linux Development Team