commit c21325b2fb2ab1ec8ebf81bccb62b6d90b7cfbd1 Author: Matej Urbančič Date: 2017-07-21 Updated Slovenian translation M po/sl.po commit 272979c4f5bb03ae81d3512d8f1974f82753ff38 Author: Bastien Nocera Date: 2017-07-17 comics: Fix extra ";" leading to a warning during installation The concatenated mime-types end up with a ...mime-type;;mime-type... pattern, an empty mime-type, which update-desktop-database doesn't like. Error in file "/usr/share/applications/evince.desktop": "" is an invalid MIME type ("" does not contain a subtype) See https://bugzilla.redhat.com/show_bug.cgi?id=1471474 https://bugzilla.gnome.org/show_bug.cgi?id=785026 M configure.ac commit fa072dbbfd964e85b4a54f8e34751cf62c77d0ea Author: Bastien Nocera Date: 2017-07-06 comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team. https://bugzilla.gnome.org/show_bug.cgi?id=784630 M backend/comics/comics-document.c M configure.ac commit 5b9b83cda1b5521387df111c04b7d8fde28a9e86 Author: Rafael Fontenelle Date: 2017-03-04 Update Brazilian Portuguese translation A help/pt_BR/figures/add-text-annotation.png A help/pt_BR/figures/annotations-nav-to-page.png A help/pt_BR/figures/annotations-navigate.png A help/pt_BR/figures/list-add-tabs.png A help/pt_BR/figures/print-select.png A help/pt_BR/figures/reverse-collate.png A help/pt_BR/figures/zoom.png M help/pt_BR/pt_BR.po commit 064e1e5218c898ea63410026058b93750031c1dc Author: Daniel Mustieles Date: 2016-11-21 Update Spanish translation M po/es.po commit 2aa64c7e9eef1994666a339923580d4925db9eff Author: hosiet <073plan@gmail.com> Date: 2016-10-30 Update zh_CN translation M po/zh_CN.po commit db0586295f122751c5a46b30b152dee7a6bcd251 Author: Kjartan Maraas Date: 2016-10-15 Updated Norwegian bokmål translation. M po/nb.po commit ca4868faa3ecc2e4f4962f86820e090682502274 Author: Carlos Garcia Campos Date: 2016-10-12 release: 3.22.1 M NEWS M configure.ac