CESA-2017:2388 -- centos 7 evinceID: oval:org.secpod.oval:def:204606 | Date: (C)2018-04-30 (M)2022-10-10 |
Class: PATCH | Family: unix |
The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Security Fix: * It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program. Red Hat would like to thank Felix Wilhelm for reporting this issue.