Main Vulnerability Database Vulnerabilities #VU7546

Code injection in Evince - CVE-2017-1000083

Published: July 14, 2017 / Updated: June 17, 2021

Vulnerability identifier: #VU7546

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2017-1000083

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Gnome Development Team

Affected software:
Evince

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing tar comic book (cbt) files in evince. A remote attacker can create a speicially crafted "cbt" file, trick the victim into downloading it and execute arbitrary commands on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

How to mitigate CVE-2017-1000083

Update to version 3.25.0.

Sources

https://bugzilla.gnome.org/show_bug.cgi?id=784630

Code injection in Evince - CVE-2017-1000083

Detailed vulnerability description

How to mitigate CVE-2017-1000083

Sources

Please verify you're human