This bug was fixed in the package atril - 1.12.2-1ubuntu0.2
---
atril (1.12.2-1ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: Command injection with cbt files (LP: #1735418).
- fix-CVE-2017-183.patch
- CVE-2017-183
-- Simon Quigley
Simon, thank you for preparing this update. I'll sponsor it as-is, but
honestly, I think evince's solution to drop support for cbt files
entirely (given their infrequent use as a comic-ebook format), rather
than try to blacklist all possible bad tar options, is the more
appropriate action to take.
** Changed in: atril (Ubuntu Xenial)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418
Title:
[CVE] Command injection with cbt files
To manage
I have uploaded this fix to a fresh test PPA of mine with all
architectures enabled and only the security repo enabled. I then tested
this in a Ubuntu MATE Xenial VM, and it works as intended with the POC
given on GitHub.
Security Team, feel free to copy my upload to your PPA:
** No longer affects: atril (Ubuntu Zesty)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1735418
Title:
[CVE] Command injection with cbt files
To manage notifications about this bug go to:
Zesty is EOL.
** Changed in: atril (Ubuntu Zesty)
Status: Confirmed => Won't Fix
** Changed in: atril (Ubuntu Zesty)
Assignee: Simon Quigley (tsimonq2) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: atril (Ubuntu Bionic)
Status: Confirmed => Fix Released
** Changed in: atril (Ubuntu Artful)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
