Bug#1060751: marked as done (atril: CVE-2023-51698)
Your message dated Wed, 17 Jan 2024 06:04:09 +0000
with message-id <E1rPz21-00E9ko-H4@fasolo.debian.org>
and subject line Bug#1060751: fixed in atril 1.26.1-4
has caused the Debian Bug report #1060751,
regarding atril: CVE-2023-51698
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1060751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060751
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: atril
Version: 1.26.1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for atril.
CVE-2023-51698[0]:
| Atril is a simple multi-page document viewer. Atril is vulnerable to
| a critical Command Injection Vulnerability. This vulnerability gives
| the attacker immediate access to the target system when the target
| user opens a crafted document or clicks on a crafted link/URL using
| a maliciously crafted CBT document which is a TAR archive. A patch
| is available at commit ce41df6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-51698
https://www.cve.org/CVERecord?id=CVE-2023-51698
[1] https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
[2] https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.26.1-4
Done: Mike Gabriel <sunweaver@debian.org>
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1060751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 17 Jan 2024 06:41:57 +0100
Source: atril
Architecture: source
Version: 1.26.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1060751
Changes:
atril (1.26.1-4) unstable; urgency=medium
.
* debian/patches:
+ Add 0001-Use-a-blank-line-at-most.patch and 0002-comics-Use-libarchive-to-
unpack-documents.patch. Use libarchive instead of external command for
extracing documents (CVE-2023-51698, closes: #1060751).
Checksums-Sha1:
2d30824a2979a6f68fa2e93a1a881988acd310cf 3111 atril_1.26.1-4.dsc
70e04897aa2903b422e931ca252fcf8b32bb52a8 45984 atril_1.26.1-4.debian.tar.xz
14362fbb9b597dfb09d625b635e702c9cc0e559e 17679 atril_1.26.1-4_source.buildinfo
Checksums-Sha256:
d1750be5de91a7b799ad609deac2c6aa5c33b08676927182a1c4a29a2142b1c1 3111 atril_1.26.1-4.dsc
5bf31bbcda9da334d3de7c41a9991f0f02daaead5a0ad27b20016688b02c12ae 45984 atril_1.26.1-4.debian.tar.xz
58ea333d7a51088d8e45a3643bf64f82edba7b9096152ac03269f3f6e068afce 17679 atril_1.26.1-4_source.buildinfo
Files:
42ce31ed16defdaea4e58a5fb6b967a6 3111 x11 optional atril_1.26.1-4.dsc
c64258121ff1df6dc097484509abd2e8 45984 x11 optional atril_1.26.1-4.debian.tar.xz
f8bacd72336eca5428e63022366265ce 17679 x11 optional atril_1.26.1-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmWnawoVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxhScP/jOEOnzww0zNr5MkPUhW3ILq22Ge
1S5qZmI9X/FQzjquw49LiumIKyhiOw5ELqLKRv7C90iGggtUTtDWvXvFoA556hLL
oH83GuCITUUAM09QdWfjkKL0n2Tp7l76b/EPIoH9GxI5isPXfG3CKEoL0R8+pDgp
yQqEpi1PVpiJG9HInv+0mcY08dW70XG/jCQbc8mDFuZvGMm6rpA/Xy6cED8UHH6O
ROzed4WfjXU1mKh4q5dB8W33AnMfQsT8FG5ZrfCLB6HcGhZlM/PDfMVnPg3GajZs
6Tj1OnJZjYarur2Z2ZsQo+9fiFRofOSAhE1WEdlbbF1tqmVdguTdbjlKIoRm7vc9
FsYz1JPgR4xpAX6L4BtqUfbodK4EiqfWf9d9bU04GfSezz0qOMXq5MuuOwEkDxo1
JGrbiihKPyU/nBMvDxe91UMFOQrvE4zaJYNWZdbbRTjfU+2a//41Y5mp7W3SZY2g
FS9WH3Bo3KbXt8iQb2nY0oe4mycdfnGcg+KxsTYL/H6T/HWn9gURMIgaG4Rdzhn/
qoKtbDZiO9CF8Kitykys28ga7Sl8FFnke4ehCRe3w/Awq87CwkTnGk7iDv4EFwt3
PqhlFV02idy6trPNxzcnW41CSV66I7sdfU/U7wLwDqB5i0VA/uTvrVZMUGeNrIqt
94lJV4zyEcK99Mp9
=HhS1
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: