Created attachment 184333 [details] Document CVE-2017-1000083 (evince) The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened. The evince port in FreeBSD builds with Comic book archives support enabled by default (COMICS=on). * Upstream bug report with details: https://bugzilla.gnome.org/show_bug.cgi?id=784630 While the report itself only mentions version 3.24.0, the patch has been backported to earlier versions, and Debian has issued a DSA for all its supported versions, so I'm assuming everything up to and including 3.24.0 is vulnerable to this: * https://security-tracker.debian.org/tracker/CVE-2017-1000083 Also affected is graphics/atril, fork of Evince for MATE desktop, I'm assuming up to and including 1.19.0: * https://github.com/mate-desktop/atril/issues/257 Attached is a patch for vuxml.
A commit references this bug: Author: swills Date: Tue Aug 22 18:22:06 UTC 2017 New revision: 448575 URL: https://svnweb.freebsd.org/changeset/ports/448575 Log: Document security vulnerability in evince and atril PR: 220713 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Changes: head/security/vuxml/vuln.xml
Committed, thanks!