Your message dated Fri, 27 Sep 2019 09:34:41 +0000
with message-id <[email protected]>
and subject line Bug#927820: fixed in evince 3.32.0-3
has caused the Debian Bug report #927820,
regarding evince: CVE-2019-11459: Uninitialized memory read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927820
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
Hi,
The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).
CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: evince
Source-Version: 3.32.0-3
We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated evince package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 27 Sep 2019 09:52:04 +0100
Source: evince
Architecture: source
Version: 3.32.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 927820 930707
Changes:
evince (3.32.0-3) unstable; urgency=medium
.
* Team upload
* d/tests/libevince-dev: Add a superficial build test
* Use debhelper-compat 12
* Enable gir and gnome debhelper addons via dh-sequence-*
build-dependencies
* d/*.symbols: Add Build-Depends-Package field
* Standards-Version: 4.4.0 (no changes required)
* Set Rules-Requires-Root to no
* Update AppArmor profiles from Ubuntu (thanks to Jamie Strandboge):
+ debian/apparmor-profile:
- allow 'rk' on @{HOME}/.config/enchant/* in evince
- add additional org.gtk.vfs rules for metadata and List* DBus APIs
- silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and
mkofm since with the new gnome-desktop3 sandboxed invocation of
NO_NEW_PRIVS blocks transition to sanitized_helper. In addition,
thumbnails are generated just fine without these
- allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and
/sys/devices/system/cpu/ in the thumbnailer (needed by some helpers)
- allow 'r' on @{HOME}/.texmf*/** in the thumbnailer
- update gnome-desktop and add evince-thumbnailer /tmp file paths
- allow read on '/' and deny write on /missfont.log which is happening
now due to new sandboxed thumbnailer invocation
+ debian/apparmor-profile.abstraction: allow directory read on
/var/lib/texmf
(Closes: #930707)
* d/p/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch:
Add patch from upstream to avoid displaying uninitialized memory if
TIFFREADGBAImageOriented fails. Thanks to Leonidas S. Barbosa / Ubuntu.
(Closes: #927820, CVE-2019-11459)
* Remove migration path from legacy -dbg package older than Debian 9
Checksums-Sha1:
b5d395311a0655a7de6ba0b36e781572ca76ab97 3294 evince_3.32.0-3.dsc
8f6cf7859e0bc1741540e4f9c47a1ed4820c2f60 31936 evince_3.32.0-3.debian.tar.xz
012d35a17655f2f6ee61d2ebc9fce3f84a5a52e9 18549 evince_3.32.0-3_source.buildinfo
Checksums-Sha256:
7d612b06847d828d14ea13ae5d35f57f5d2716785282c1adf204c8e36d96c864 3294
evince_3.32.0-3.dsc
edb2f62b01f6a18cc5998055be7860a7cf0f8325d8413b122a15be25065e1d1d 31936
evince_3.32.0-3.debian.tar.xz
7eb595d114c130d9af5909c67775a41d1a03711c6727effa191a5248d6c7dfcb 18549
evince_3.32.0-3_source.buildinfo
Files:
d413e3379ec791a01dcd44305f87621c 3294 gnome optional evince_3.32.0-3.dsc
6fa7c4170a6153e9b6d5ae151d0942df 31936 gnome optional
evince_3.32.0-3.debian.tar.xz
9cdbbec0eb0eb8d61841fcfddb060a26 18549 gnome optional
evince_3.32.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl2N01oQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT5oDD/44YL9RWtBGoxUDM3TCHRvpU4Q7jPTKtQu5
B/xJg0fFBddI4Q/ZcBG0WT4AZuYqTylgsBD4l6t0neSrJkwyK+PF+53tYFmA2Nbr
9vUy/tQaLrB5QAc2etxeBdjYwpTcyBRvSfvZqMSH2E4tU3HeiMYQrpW7UaHWnrHh
sITAdS/hc745e5rAsyxeyiln7Q/+6kdjTGVy+Gf/6Y7k2Fqw7jj1+F3Y+aAJAf46
11g7t/Mm3QBSIdmxzPmvay3Y3C1MYUpgU66k/ficVRAYj9Ba4rKrEf+YLJFdHAh8
rsWr3V3em5SxWFZlkpbA+fMOHHf6GREbsJx6tKBgR3cYD7XxyLk5etNtpV2PN6yB
kxWDO9Tz+RAvY1VEVLjxeslGszRodWlLv0dCj30juBPEwyAyk2wt9HMKxo5URbWA
nCMMRv22PX46bh4309J4WY6kp51MofbLVJMhZ+DBbNlo1aL1T4F4rBmbZ5GK3IZQ
F1pw/8kX72hp1cWdAUos5q5utUISLw+EsdJytg8ekiS98KSF4VeisucGTODBSBCB
anHelKsWqg/Qx/nObv9vfIRfnMKloIKCT8DzGaUIei7uJ/qM4NpJATLwsndV2Emv
Gt7eOlDSZQIsXWGFSZTI4aE7HqWvpmfCSNn65kOX6FV+76MO/6VZnCnaaCmFsMrQ
gUL0tmiMoA==
=xHnK
-----END PGP SIGNATURE-----
--- End Message ---
