Bug#927821: marked as done (atril: CVE-2019-11459: Uninitialized memory read)
Your message dated Mon, 16 Dec 2019 09:49:53 +0000
with message-id <E1ign0j-000FLz-UB@fasolo.debian.org>
and subject line Bug#927821: fixed in atril 1.22.3-1
has caused the Debian Bug report #927821,
regarding atril: CVE-2019-11459: Uninitialized memory read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
927821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927821
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: evince: CVE-2019-11459: Uninitialized memory read
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 23 Apr 2019 21:52:39 +0200
- Message-id: <155604915963.32367.329580174541065082.reportbug@eldamar.local>
Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
Hi,
The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).
CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.22.3-1
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Dec 2019 10:23:05 +0100
Source: atril
Architecture: source
Version: 1.22.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Closes: 927821
Changes:
atril (1.22.3-1) unstable; urgency=medium
.
* New upstream release.
* debian/changelog: Document security issue closure for 1.22.1-1.
* debian/patches:
+ Add CVE-2019-11459.patch. tiff: Handle failure from
TIFFReadRGBAImageOriented. (Closes: #927821, CVE-2019-11459).
* debian/control:
+ Add Rules-Requires-Root: field and set it to 'no'.
+ Bump Standards-Version: to 4.4.1. No changes needed.
Checksums-Sha1:
3874d51fdd0a46c18ba8ee0006b7a9b8296214c8 3096 atril_1.22.3-1.dsc
bf8332557ebcb5153737f4f911e6bd9f11052904 1386204 atril_1.22.3.orig.tar.xz
9282b0f26466501d570a6deb5398eb00232e28ab 20032 atril_1.22.3-1.debian.tar.xz
89e728b5c5462715eee187afe143784485b9cb9a 19248 atril_1.22.3-1_source.buildinfo
Checksums-Sha256:
d9531b7197d9a6d455788b270065ee75744225e8d741762cde36b7658c798d88 3096 atril_1.22.3-1.dsc
864f37f930a49104438f0702856eeb002856f967b60a5f32e712ded6e772da3e 1386204 atril_1.22.3.orig.tar.xz
921601240db09ef01846952624a2db6d4b8fb2eccc7dfa75fe65fb43bcae9081 20032 atril_1.22.3-1.debian.tar.xz
3d78b8853764689839d3ac8df73436e0acecef113d13a2119181357b2d4738a5 19248 atril_1.22.3-1_source.buildinfo
Files:
558f85a677fd7732ee8d31b094adb846 3096 x11 optional atril_1.22.3-1.dsc
49a8f7839e3ee1448594de50a8063878 1386204 x11 optional atril_1.22.3.orig.tar.xz
2bb919874073f7409ea3d86e677a66d5 20032 x11 optional atril_1.22.3-1.debian.tar.xz
dc8ecffafcf69444da29c644d96f15d9 19248 x11 optional atril_1.22.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCAA/FiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl33Te4hHG1pa2UuZ2Fi
cmllbEBkYXMtbmV0endlcmt0ZWFtLmRlAAoJEJr0azAldxsx/n8QALy0IFk1i+Sp
3lcUnM6no2/Z/w/MO4QR7Ex7g6RL4+iBx8FjdJinPmf9iA7EN8kxgAp7fYDr5JSz
BcixPG+Vpd7aFPsUnfAc5Xj/jsHs9GcQKy0PYl+T0/z+J0Nu8PEeWciT0qbECuQ7
YvJ2nbys+wNRg6JfhhGzOUq6wfyc6dH9Aljmo+sGCQn71xwcS2yXUhV8IzY34oZf
WOx5mn+G7QBOxR6P+oT3NSodjuSiQRbQZYtSKT6/GAuqLMwMz68rIDDG/pkQefBC
boxdDq1zHwx+al26VK15qK8lt6UrioViknOD6dZD7wqakgFzQRM/UvYcdcPNnSIU
GqSqrXOT4FqLY62WEJJMnDoXd98WWSNCVy6mmcxH7NByxs8eJ9HwX9W7uwS8tzvj
mMTf5iFtpfrxAivjdlsYTAKjgFfcFrpMW62NhsmCTx64OtDc/BlaeWmUW+W+8w3g
2CfOydM9zSQz/rTFyFkTiAfqC3fZ3BVQLcPcq6G0VzJypPB5uOwOofHve/y4SoAQ
RjNfyW7bTNkRSrgknI3hA6IYuj91C8WxE9hwa+FfVK5ONNCOHpSgq06AqgQbGQ+D
Bjxy1DRTKcKi1hWqWmSsOQrTqewFlkysGIibEuinpIFuLFJB+CP0t4RrXS7ACC00
jFiuK5j7fs+M4IZVQ+yweILAyUQB7T3Q
=5A8h
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: