Package: atril / 1.8.1+dfsg1-4+deb8u1
Patch seriesview the series file
|0001_open multiple files.patch | (download)||
12 9 + 3 - 0 !
[patch] uses g_app_info_launch_uris instead of g_app_info_launch to spawn other sessions Closes https://github.com/mate-desktop/atril/issues/86 Solution comes from evince code
|0002_forgotten mutex unlock.patch | (download)||
6 4 + 2 - 0 !
[patch] ev-jobs: don't forget to unlock the trylock'ed mutex
|2001_omit gfdl licensed help files.patch | (download)||
don't build non-dfsg (gfdl 1.1 licensed) help files
|0003 CVE 2017 1000083 evince comics remove tar commands support 3 10 3.patch | (download)||
[patch] comics: remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team. https://bugzilla.gnome.org/show_bug.cgi?id=784630