Your message dated Sun, 29 Sep 2019 20:41:30 +0000
with message-id <[email protected]>
and subject line Bug#927820: fixed in evince 3.34.0-1
has caused the Debian Bug report #927820,
regarding evince: CVE-2019-11459: Uninitialized memory read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927820
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
Hi,
The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).
CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: evince
Source-Version: 3.34.0-1
We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bicha <[email protected]> (supplier of updated evince package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Sep 2019 15:59:58 -0400
Source: evince
Architecture: source
Version: 3.34.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bicha <[email protected]>
Closes: 927820 930707
Changes:
evince (3.34.0-1) unstable; urgency=medium
.
* New upstream release
* Bump minimum libglib2.0-dev to 2.38.0
* Drop tiff-Handle-failure patch: Applied in new release
.
evince (3.32.0-3) unstable; urgency=medium
.
* Team upload
* d/tests/libevince-dev: Add a superficial build test
* Use debhelper-compat 12
* Enable gir and gnome debhelper addons via dh-sequence-*
build-dependencies
* d/*.symbols: Add Build-Depends-Package field
* Standards-Version: 4.4.0 (no changes required)
* Set Rules-Requires-Root to no
* Update AppArmor profiles from Ubuntu (thanks to Jamie Strandboge):
+ debian/apparmor-profile:
- allow 'rk' on @{HOME}/.config/enchant/* in evince
- add additional org.gtk.vfs rules for metadata and List* DBus APIs
- silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and
mkofm since with the new gnome-desktop3 sandboxed invocation of
NO_NEW_PRIVS blocks transition to sanitized_helper. In addition,
thumbnails are generated just fine without these
- allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and
/sys/devices/system/cpu/ in the thumbnailer (needed by some helpers)
- allow 'r' on @{HOME}/.texmf*/** in the thumbnailer
- update gnome-desktop and add evince-thumbnailer /tmp file paths
- allow read on '/' and deny write on /missfont.log which is happening
now due to new sandboxed thumbnailer invocation
+ debian/apparmor-profile.abstraction: allow directory read on
/var/lib/texmf
(Closes: #930707)
* d/p/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch:
Add patch from upstream to avoid displaying uninitialized memory if
TIFFREADGBAImageOriented fails. Thanks to Leonidas S. Barbosa / Ubuntu.
(Closes: #927820, CVE-2019-11459)
* Remove migration path from legacy -dbg package older than Debian 9
Checksums-Sha1:
90ec55bb3eb7d5ce40f6254f85b84ac92c588186 3156 evince_3.34.0-1.dsc
0023e0caa9f3126c3610a0829fb2e217de200c01 2553912 evince_3.34.0.orig.tar.xz
c6670313cd1bdb573f60d122e6d2d48b556f55ee 31264 evince_3.34.0-1.debian.tar.xz
9eb14f6d18271668749b8c8db14036e9fd425f60 20951 evince_3.34.0-1_source.buildinfo
Checksums-Sha256:
4b981b10c576125b80b1d2214500a55b770690900f5a2798cf69343158edf6e8 3156
evince_3.34.0-1.dsc
3297d16d2d1426f72ea090749ba72424d08eb133fbe4101e52a0b84999ad2a51 2553912
evince_3.34.0.orig.tar.xz
beedb5e6a4e7f2a5984084aa546e1be80495c51295b04577130818604d3146b1 31264
evince_3.34.0-1.debian.tar.xz
36e5473645275611abc8756a838690a2f60e8a64834c763bcba3c690f86cfea6 20951
evince_3.34.0-1_source.buildinfo
Files:
3184a304608c5133e5f019f52ad5f5e1 3156 gnome optional evince_3.34.0-1.dsc
2661be79fce1f64eb917f3304085a2e4 2553912 gnome optional
evince_3.34.0.orig.tar.xz
459d81277cb1c5e5ee539c8f625f2427 31264 gnome optional
evince_3.34.0-1.debian.tar.xz
8a3f33eb44dcccf8a71f66360d4a4529 20951 gnome optional
evince_3.34.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAl2RDh0ACgkQ5mx3Wuv+
bH2i9hAAkAYPYuB5zMx4a0Uu/7SMvZNaHcPv8Z7g5KcwLQ2FkPlxc14Ma3xojo90
GdD7WbELXG461rkC8zHuwH28dtA6lXHz4jB68KS8ubwbodSDu06F3bll+yNjY6GL
8RDEkkQC05cB9IoUtgNM7ZByTL1cBr2Bqsicp6sMD8vmqMVhEwO/YDWl1Hi5OIS+
apUSoj3mE0cyUytI16lG2lKaXQsiRKRGM/xx9CoxXUeJd2m7MWQTyTPZAQeAqXl8
IoiIDJf0XJM5nHYmtucr1reJ1mHPaA18j57SwdZ3RpgMfUHdWMk4SzF+OPKjaM7S
HZ631/832MVXX5XolE8VDO57ZZuuk3n5bhuXtQoW1Hd+4/DhG/URIng1rK/UyI5Y
5J1j8VJE4jiNwSSMyO0GFj4yqSYSdkvk3K/ePkcD0Aoj4PnfD5pcQO+8TVenePgf
ONeamBbBJfuLInMmo0iFHmr0jhYa/arm3KMG7o0QGl3J5QYNAVHG202FK952N+tr
YKpcPtu6FryDjp7ZQ1Mozpxv+eWzT5xoSOZODCTzErLmQA6lqG0rms0OX1bpWzvG
g9cJ99m/De2Ek33SqbT8yzC4sClfTCOZPkB18btZjz/QmQV2A1NW7BCAKyH2ESD2
7WkKKmshawNRjSt9f7ljl0AKkDnjxOYLCf1rUY+aWKU5woPHelo=
=9Ft+
-----END PGP SIGNATURE-----
--- End Message ---
