Bug#927821: marked as done (atril: CVE-2019-11459: Uninitialized memory read)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 21 Dec 2019 18:17:08 +0000
with message-id <E1iijJM-0002Fl-Ii@fasolo.debian.org>
and subject line Bug#927821: fixed in atril 1.20.3-1+deb10u1
has caused the Debian Bug report #927821,
regarding atril: CVE-2019-11459: Uninitialized memory read
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927821
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: evince: CVE-2019-11459: Uninitialized memory read
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 23 Apr 2019 21:52:39 +0200
• Message-id: <155604915963.32367.329580174541065082.reportbug@eldamar.local>

Source: evince
Version: 3.30.2-3
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:atril 1.20.3-1
Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129

Hi,

The following vulnerability was published for evince (and same issue
in atril, thus cloning the bug).

CVE-2019-11459[0]:
| The tiff_document_render() and tiff_document_get_thumbnail() functions
| in the TIFF document backend in GNOME Evince through 3.32.0 did not
| handle errors from TIFFReadRGBAImageOriented(), leading to
| uninitialized memory use when processing certain TIFF image files.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11459
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
[1] https://gitlab.gnome.org/GNOME/evince/issues/1129

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 927821-close@bugs.debian.org
• Subject: Bug#927821: fixed in atril 1.20.3-1+deb10u1
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sat, 21 Dec 2019 18:17:08 +0000
• Message-id: <E1iijJM-0002Fl-Ii@fasolo.debian.org>

Source: atril
Source-Version: 1.20.3-1+deb10u1

We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated atril package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 16 Dec 2019 10:33:35 +0100
Source: atril
Architecture: source
Version: 1.20.3-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 927821
Changes:
 atril (1.20.3-1+deb10u1) buster; urgency=medium
 .
   [ Martin Wimpress ]
   * debian/patches:
     + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document
       is loaded.
     + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006)
 .
   [ Mike Gabriel ]
   * debian/patches:
     + Add CVE-2019-11459.patch. tiff: Handle failure from
       TIFFReadRGBAImageOriented. (Closes: #927821).
     + Rebase 0001_prevent_no_doc_segfault.patch.
Checksums-Sha1:
 932d7c680f746383ccac91eed2c4039cfdea941e 3107 atril_1.20.3-1+deb10u1.dsc
 3607327893a3b52a7a6d7299d1a1b910c8b74fad 21908 atril_1.20.3-1+deb10u1.debian.tar.xz
 13121d1c5ffa4ddebeec39c3e8a22dd7b9232660 19264 atril_1.20.3-1+deb10u1_source.buildinfo
Checksums-Sha256:
 c09ee3994058966361d35ecb13468af5dd0e956ee908351a3fcd5ad743ebb54c 3107 atril_1.20.3-1+deb10u1.dsc
 a6ff7ff7f75edfb3b96b57aeaa0e8555e2b32c8158f87cf6d0cfc9c831b32022 21908 atril_1.20.3-1+deb10u1.debian.tar.xz
 ede82a8fa577299ce1089cc9b70b2fb7b76d1999078fd95d8e4dc956878e1142 19264 atril_1.20.3-1+deb10u1_source.buildinfo
Files:
 baae287c7324cfef728c28dac84141e8 3107 x11 optional atril_1.20.3-1+deb10u1.dsc
 efee7e86285e0c3f8220dfb6c35e6a9c 21908 x11 optional atril_1.20.3-1+deb10u1.debian.tar.xz
 7e0428c3dbeadd416fa74b0528539208 19264 x11 optional atril_1.20.3-1+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl33T7QVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx3xYQALuAS92xPNf3Zfx1o/p3SSzxa17F
GokwIPvsYhPJ4zRDm4l0nJJjdNJ0AQUt3HHeL5TK9BaT7TW9rlIS9zEw/R1bORiF
ynsDwOZQ09HRNt2jR3mYZ8z5lCwZC8PyH3KiWdfJEpqg2G1FwBCuXV3xhJkEVo8I
STAnvaLOvZiHK2uPz8BnXIKaKCiE5GFP8eY23O3yYycQ1Apq+nlmVXGb8n8tuu+m
Zam8wBBU0noPeKn2zpFQqZninjctuqHKjzGCDmu8D64ndyyEdqcRHzJK1MBh+Dyy
YdfKHkJRaQjT4t2KgMHSzPAOL2Zv5WjsU/ENTfZmbK1mZtXKSC8RvowYCugp8LYP
q4hwDd6w64EJ1NYgtzVByIBS6fl7l1QVerTB7eUW2MhhERXJ4Gd0WhzLMX5+iCyT
/F7q0Iz5a8W+VHsJAlVgQAbEp6WZ/DPsM/vklFi37Zm3vIILsba9q2R+svtzO0ys
zF1B21KAGF/1MmbnRAumJGNRpVvFz0gkA1Vi5ni3r0P9uuUO4U5bl/ZANpmAy5fl
aR8wyUvoYZJ3rI3v4pUObJcPj3AbBm6rKPh7UmoTxR8FFGx6akWmhWzXgdGO7gtd
gWGxBgKhI7B7JVZXzhFar1nRwZ9qqz7LIZSN7vcFVPDeFgtjA0TscJyfH1c7EL8C
XUu0uwEVFSmmvh7K
=0dUy
-----END PGP SIGNATURE-----

--- End Message ---