./print/evince3, Document viewer

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.24.1nb2, Package name: evince-3.24.1nb2, Maintainer: pkgsrc-users

Evince is a document viewer for multiple document formats like pdf, postscript,
and many others.


Required to run:
[sysutils/desktop-file-utils] [sysutils/dbus-glib] [sysutils/dbus] [graphics/hicolor-icon-theme] [graphics/tiff] [graphics/librsvg] [databases/shared-mime-info] [devel/glib2] [print/libspectre] [x11/gtk3] [security/libsecret] [graphics/adwaita-icon-theme]

Required to build:
[pkgtools/x11-links] [x11/compositeproto] [x11/glproto] [x11/renderproto] [x11/xproto] [x11/xf86vidmodeproto] [x11/recordproto] [x11/xf86driproto] [x11/damageproto] [x11/inputproto] [x11/xextproto] [x11/randrproto] [x11/dri2proto] [x11/xcb-proto] [x11/fixesproto4] [pkgtools/cwrappers]

Package options: dbus

Master sites: (Expand)

SHA1: 53f13c0b0369248ebe58b735fec18d3068d5ef22
RMD160: 202e8b0acb02327d074ff5ec425daf40d9c62804
Filesize: 3429.273 KB

Version history: (Expand)


CVS history: (Expand)


   2017-10-16 00:31:02 by Patrick Welche | Files touched by this commit (12)
Log message:
Put gdbus-codgen back into operation

- Revert "Move gdbus-codegen users to py-glib2-tools by including
  glib2/buildtools.mk" 1f764df
- while here change to TOOL_DEPENDS
- switch from py-glib2-tools to glib2-tools
   2017-10-13 18:36:04 by Patrick Welche | Files touched by this commit (11)
Log message:
Move gdbus-codegen users to py-glib2-tools by including glib2/buildtools.mk
   2017-09-04 22:20:56 by Ryo ONODERA | Files touched by this commit (38) | Package updated
Log message:
Recursive revbump from poppler update
   2017-09-04 17:08:54 by Thomas Klausner | Files touched by this commit (38)
Log message:
Recursive bump for poppler 0.58 shlib bump.
   2017-08-27 18:08:06 by Patrick Welche | Files touched by this commit (6) | Package updated
Log message:
Update evince3 to 3.24.1

[ The CVE was already patched in 3.22.1nb6 by maya@ ]

================
Evince    3.24.1
================

Bug fixes:

    * Remove support for tar and tar-like commands in commics backend
      (CVE-2017-1000083, #784630, Bastien Nocera)
    * Improve performance of the links sidebar (#779614, Benjamin Berg)
    * Improve performance of scrolling in thumbnails sidebar (#691448,
      Nelson Benítez León)
    * Don't copy remote files before thumbnailing (#780351, Bastien
      Nocera)
    * Fix toggling layers that are not in the current visible range of
      pages (#780139, Georges Dupéron)
    * Fix ev_page_accessible_get_range_for_boundary() to ensure the
      start and end offsets it returns are within the allowed range
      (#777992, Jason Crain)
    * Fix crash with Orca screen reader (#777992, Jason Crain)

================
Evince    3.24.0
================

New features and improvements:

    * Ask the user before automatically reloading the document when
      it has been modified (#769123, Jose Aliste)
    * Use IBEAM cursor for TEXT_MARKUP annotations (#774018, Philipp Raich)

Bug fixes:

    * Hide search bar when entering presentation mode (#775536, Simon Nagl)
    * Sort bookmarks by page number instead of title (#772277, Felipe Borges)
    * Sort pages in natural order in comics backend (#770695, Felipe Borges)
    * Fix a crash due to an invalid access to the height page cache in
      continuous dual mode (#771612, Tobias Mueller)
    * Use Unicode in translatable strings (#774005, Piotr Drag)
    * Fix incorrect return type (#780206, Bastien Nocera)
   2017-08-15 13:40:25 by Niclas Rosenvik | Files touched by this commit (19) | Package updated
Log message:
Revbump due to poppler update to version 0.57.0.
   2017-07-14 07:31:21 by Maya Rashish | Files touched by this commit (5) | Package updated
Log message:
Patch CVE-2017-1000083

From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 6 Jul 2017 20:02:00 +0200
Subject: [PATCH] comics: Remove support for tar and tar-like commands

When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.

This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.

Discovered by Felix Wilhelm from the Google Security Team.

https://bugzilla.gnome.org/show_bug.cgi?id=784630

Bump PKGREVISION
   2017-05-29 13:09:46 by Jonathan Perkin | Files touched by this commit (16)
Log message:
Recursive revision bump for archivers/libarchive.