Your message dated Tue, 18 Feb 2020 21:34:40 +0000
with message-id <[email protected]>
and subject line Bug#927820: fixed in evince 3.22.1-3+deb9u2
has caused the Debian Bug report #927820,
regarding evince: CVE-2019-11459: Uninitialized memory read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927820
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
Hi,
The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).
CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: evince
Source-Version: 3.22.1-3+deb9u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated evince package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Feb 2020 21:32:58 +0100
Source: evince
Architecture: source
Version: 3.22.1-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 927820
Changes:
evince (3.22.1-3+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* dvi: Mitigate command injection attacks by quoting filename
(CVE-2017-1000159)
* Fix overflow checks in tiff backend (CVE-2019-1010006)
* Remove unused configure check for cairo_format_stride_for_width
(CVE-2019-1010006)
* tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459)
(Closes: #927820)
Checksums-Sha1:
54c71e90cfa934d365f56fbd79cda67fa1a62116 3317 evince_3.22.1-3+deb9u2.dsc
ee575a966b8bb6bfa45538a3ecdc99d084c18f98 30696
evince_3.22.1-3+deb9u2.debian.tar.xz
f4754819c352676be65ae3e18c116688c95901f5 6625
evince_3.22.1-3+deb9u2_source.buildinfo
Checksums-Sha256:
0341e67759a44feb73c92da5c246428d1536a1b37e5df7aa58ea9bb83417b102 3317
evince_3.22.1-3+deb9u2.dsc
a94fc3600dee0f51cda70ede100c46081cf745de40167b8c540a8ec676f6a9af 30696
evince_3.22.1-3+deb9u2.debian.tar.xz
f4dd0813fe4fdf4dcf10cf9339fb457d153a9be106771eccbd4102d473da246c 6625
evince_3.22.1-3+deb9u2_source.buildinfo
Files:
c076347d5611f9f6c5da932460acb6ee 3317 gnome optional evince_3.22.1-3+deb9u2.dsc
d705644613664c7734ce29f84d5e8b02 30696 gnome optional
evince_3.22.1-3+deb9u2.debian.tar.xz
9d6157f36fccd834c4edb1cf5268235a 6625 gnome optional
evince_3.22.1-3+deb9u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5GlcBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEl0QAIgEdI5BJ+pc3n9uI4GeSp00cZBRt9OW
OuzRnDnara8kgew+cypjbseU/hfZ1B8ZH6yaIhgRBPUDi+gW7mlXQTs0TyB/Mg9u
k6bTFRScbcfCVidkUA7yYzVYe0ALfQcWjlfZMYV+3kE+O/mM8LfkZz+AXtejdfy3
q4GQyhlox2vjDITMz5ED28NyOW4msx9owByKMzR/KIg8lo3hdTLtEB56B6vI4mhB
S8XESBJ4aJYeS/xWbpfZP5qK/9b+rd6SqI60rHULEdU6HR8g2w71SlPpX6WwDzGW
woWbwdGmeBX2Da6pq0RegmVgPUgfR16spMnN5X0mSpwlcCMiD/Kzu13oO7FD4u+u
4+rPmxk+rKRLH8uF/FBzVvzWnc2tulmrJ4NIArsjlJyEsBsxu0/4CgAwA5rdLQeP
C36x1NmISM7wrJ3jCMv62Os1Ujr847R/RJHvspLNbcftDGlU0OamkhmtkRYUMCxg
9f8+amRpUpA3BYFvvd6EZmiHTTnfchQhWqVpKCot8jFKV087x0stvvsXdbH2q8uw
r57Zgd5XW41JkhH/xX+aYsnjO/730QfBK9uzEw96OJcEQqg0HR8oaS5XYcL38wkC
NygM8VEQ6pjhUtIFaV2lLeCEckwBTEAH02HUd24HKRTF+LDfr6D2gmLNNL/3x5eq
BHaZCVRLoV/u
=K9qS
-----END PGP SIGNATURE-----
--- End Message ---
