Your message dated Tue, 18 Feb 2020 21:32:08 +0000
with message-id <[email protected]>
and subject line Bug#927820: fixed in evince 3.30.2-3+deb10u1
has caused the Debian Bug report #927820,
regarding evince: CVE-2019-11459: Uninitialized memory read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927820
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
Hi,
The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).
CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: evince
Source-Version: 3.30.2-3+deb10u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated evince package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Feb 2020 21:46:12 +0100
Source: evince
Architecture: source
Version: 3.30.2-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 927820
Changes:
evince (3.30.2-3+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459)
(Closes: #927820)
Checksums-Sha1:
58a2b64096d8ca299a841cbf3d77b5f5c012eca9 3225 evince_3.30.2-3+deb10u1.dsc
85df2a49cfe92cacfa72c09aa63cd2ded154d2ee 2288868 evince_3.30.2.orig.tar.xz
df689828820086b5c2c1d962044b6d2ad0c185e2 30672
evince_3.30.2-3+deb10u1.debian.tar.xz
94db5fd61191251b861a4ba937ac4971a3b9917b 6596
evince_3.30.2-3+deb10u1_source.buildinfo
Checksums-Sha256:
3db04e1b0007285201ac8b32ac97a5bf7dc1451ec183a99c23c6ba849efe162e 3225
evince_3.30.2-3+deb10u1.dsc
a95bbdeb452c9cc910bba751e7c782ce60ffe7972c461bccbe8bbcdb8ca5f24c 2288868
evince_3.30.2.orig.tar.xz
77efd8df48585c8ab0e887239f5280257141b63ba1a3253c815c8899ffb90468 30672
evince_3.30.2-3+deb10u1.debian.tar.xz
83275ff10daa48c640eba0caaf7bf756f7e72d7d4dfc2c4783444abeb8aade44 6596
evince_3.30.2-3+deb10u1_source.buildinfo
Files:
48c0ac2be0bd4f8b255f4ca6fdfb54b8 3225 gnome optional
evince_3.30.2-3+deb10u1.dsc
136eed1e980e91b5e1052d9a906bc2ee 2288868 gnome optional
evince_3.30.2.orig.tar.xz
092e68255871b7bd84929764e8d0cd56 30672 gnome optional
evince_3.30.2-3+deb10u1.debian.tar.xz
4a0bf5b8f8f515f11b24a74c5bacd3a1 6596 gnome optional
evince_3.30.2-3+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5GlURfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/scQAJvLscpI/i3mtTgNg2ks32ohxwVGK2Hx
4l8R0DLj8T3eUpckoGCt8WMLpaxPDkMeySVZbofrWfFnsKQssYkcusFZpXXpk2Zv
YD99uki5YLjKNolrOtdojdShZVldGhiV1XhGrw1R9eBehtVTeZR3AI3Z/TJOybYp
bTm6zNGFf8TYCTX+eIWxO5mZdL1J2Nh33h1LsU35SWMXvqvFXZjJnxherQr5sZZ7
g6A4Wc0Z+R4cEurWkVv3or7Mb0JZsJB307e+iGxRLWqB0mOEqu0PflN/yriRjkvx
6Nq00zcPWrewMGb1UJr3pivOwF3Wye5EBAImOEHLGdN+/mz5S/rynQqThZpJ9Q/o
cL8LhkB5QkkKD8s24uL/qKiVp7JC8Kk5h03MKHGRuA7zGdJXMwWKRElzhjv4be/x
xr6QxcBh9vARhBdr1Xr6qlHgGBwrbyG3nAI522TrJseorC1hJhGxwrYGlkuDrT8M
FI4xf7h8aWNaJ6m+/2ze79mSSRjnK3fiYfhI7kWlTxC3I9BmqCOVADvvd3yYlAyt
oB9KLQwQhw09ilZ1iDUUCVISkqCt9ng2NDWAxMJh5Dn590qJbKzYHsVbtShjIMAA
/Ow098vdmuc1F9gRf317QAy+ZiHI0ONAbgiXRLT3tKn5i1WuZaRLZ8gU2VkvyNxI
vw24wDoKtApV
=9MYf
-----END PGP SIGNATURE-----
--- End Message ---
