diff -Nru evince-3.10.3/debian/changelog evince-3.10.3/debian/changelog --- evince-3.10.3/debian/changelog 2017-07-12 06:00:28.000000000 +0000 +++ evince-3.10.3/debian/changelog 2017-11-30 19:11:14.000000000 +0000 @@ -1,3 +1,12 @@ +evince (3.10.3-0ubuntu10.4) trusty-security; urgency=medium + + * SECURITY UPDATE: command injection in dvi backend + - debian/patches/CVE-2017-1000159.patch: properly quote filename in + backend/dvi/dvi-document.c. + - CVE-2017-1000159 + + -- Marc Deslauriers Thu, 30 Nov 2017 14:11:14 -0500 + evince (3.10.3-0ubuntu10.3) trusty-security; urgency=medium * SECURITY UPDATE: command injection via cbt files diff -Nru evince-3.10.3/debian/patches/CVE-2017-1000159.patch evince-3.10.3/debian/patches/CVE-2017-1000159.patch --- evince-3.10.3/debian/patches/CVE-2017-1000159.patch 1970-01-01 00:00:00.000000000 +0000 +++ evince-3.10.3/debian/patches/CVE-2017-1000159.patch 2017-11-30 19:11:11.000000000 +0000 @@ -0,0 +1,39 @@ +From 350404c76dc8601e2cdd2636490e2afc83d3090e Mon Sep 17 00:00:00 2001 +From: Tobias Mueller +Date: Fri, 14 Jul 2017 12:52:14 +0200 +Subject: dvi: Mitigate command injection attacks by quoting filename + +With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. +It exports to PDF via the dvipdfm tool. +It calls that tool with the filename of the currently loaded document. +If that filename is cleverly crafted, it can escape the currently +used manual quoting of the filename. Instead of manually quoting the +filename, we use g_shell_quote. + +https://bugzilla.gnome.org/show_bug.cgi?id=784947 +--- + backend/dvi/dvi-document.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: evince-3.10.3/backend/dvi/dvi-document.c +=================================================================== +--- evince-3.10.3.orig/backend/dvi/dvi-document.c 2017-11-30 14:11:08.769767642 -0500 ++++ evince-3.10.3/backend/dvi/dvi-document.c 2017-11-30 14:11:08.729767122 -0500 +@@ -297,12 +297,14 @@ dvi_document_file_exporter_end (EvFileEx + gboolean success; + + DviDocument *dvi_document = DVI_DOCUMENT(exporter); ++ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); + +- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ ++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + dvi_document->exporter_opts->str, + dvi_document->exporter_filename, +- dvi_document->context->filename); +- ++ quoted_filename); ++ g_free (quoted_filename); ++ + success = g_spawn_command_line_sync (command_line, + NULL, + NULL, diff -Nru evince-3.10.3/debian/patches/series evince-3.10.3/debian/patches/series --- evince-3.10.3/debian/patches/series 2017-07-12 05:55:11.000000000 +0000 +++ evince-3.10.3/debian/patches/series 2017-11-30 19:11:07.000000000 +0000 @@ -5,3 +5,4 @@ gtk310-secondary-keybindings.patch slash_to_search.patch CVE-2017-1000083.patch +CVE-2017-1000159.patch