Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3096
[SECURITY] [DLA 1881-1] evince security update
14 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: evince
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1010006 CVE-2019-11459 CVE-2017-1000159
Reference: ESB-2019.3006.2
ESB-2019.2947
ESB-2019.2735
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/08/msg00013.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : evince
Version : 3.14.1-2+deb8u3
CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006
A few issues were found in the Evince document viewer.
CVE-2017-1000159
When printing from DVI to PDF, the dvipdfm tool was called without
properly sanitizing the filename, which could lead to a command
injection attack via the filename.
CVE-2019-11459
The tiff_document_render() and tiff_document_get_thumbnail() did
not check the status of TIFFReadRGBAImageOriented(), leading to
uninitialized memory access if that funcion fails.
CVE-2019-1010006
Some buffer overflow checks were not properly done, leading to
application crash or possibly arbitrary code execution when
opening maliciously crafted files.
For Debian 8 "Jessie", these problems have been fixed in version
3.14.1-2+deb8u3.
We recommend that you upgrade your evince packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl1SqhoACgkQnUbEiOQ2
gwJUqBAApx4Lk52L/xsbI5E6Ly+ZR7g2PjAfO7rPHzTQo/l1GsGYr5TnhboUrPdG
uTirUgMrFvnAYALG7uWjRUhD5nHe/fgH+x/mfTtBX2Z77M0ufRNd/cL2mqZeB7a+
2ajBLG5/QNr3Ob9r0CeAQmtiM170en4JlE7xLZ9IBH3du2ZwgJzy8YD93fO4HSLb
8MagHhEncodKEhnzfjoki2fTsj1fepamyJcntJi/J/kyU2EEEt1wWVnV1abKMGx3
Kh3ogSJZPwETrTPjse78/t1CtEMhBgsrCnqO4UkdWX0ZCSsqjr9eIDsaZoMCVxQf
EcGNFVm5fOp2SaOqfmKCzXheY1R5hB67+z/ObzG+eqPEDJF7G6+krWDccLokqeri
Uvs1OmtCu6RXyqjrFcG9gQYaz8OJm39ofSnFNTJIzT7ZNduvs1BqCIDG0UxMJdit
aP/jG0qQUIXgMhOfV7J68swnkSBmlkE45gzR7Q/2UjB1u4fXZW1huGkfpuDkye3H
XOjkGNi0KiPjHI7YXwQ6hvq539V3XLfGDrtIPkaLQj9Ug0l1Hp+Ltuhx/y/5r9ew
/2szUobwd3nA6OI5hUMKEcEn1osi1lJOEyHe2hvV5Hmo51Q7VwKCbdX5cBmtQemC
Xpf4M4iViRiwB1sJLKQqs5yp5ZnNhM2tVFX2TVqYptx7R7Jqiug=
=HXPT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVNcdGaOgq3Tt24GAQilHxAAp1yfvVw1gKxwbQ4b6qqpbIn9Ny4i+PJX
JPSdWcavx+EGJOkjbhRY5Y1gdAxaDdYhoHHv0+X2X8Ihw4V9Avri8+OsvBp5W+A9
UM7KMAW+WxJToY8Boo5D2wbJ8JukoqyfbUbnp0ReSP+RQgvXeWQExijMUcGFSbCl
MK0UM8NvpCs0u5d0XMXfqvMX2B9w7BLs5V16QXhm1izk9xk/uhhDxitXlLF5fN5z
r5CKbhZv21op8cdh09But2+8+TtcruUMfIGwZSHq0EEsq6x20Ld/TtjD5QWlzeow
VjHk/a12NTHUod8UQ7TuNK4QEZR0cfGK+OQ7dsKjmMoMQeRGi/Ott6/Vn0U2Hr0X
WHO33rM8EYfgnUvyudsy0tF4oSKOsxy53z2f8qghYMhN+3NiKG0HS5NeD8tM2+8N
PqszeaA80m1eI+xIqnt3UUK+5KA+y4EwCDMSbrlOCmJtevxAHxzHEIyYArHJE000
UlEd4WJQFexj6w/w4aacbEntbYKI9ptL3zBM5/D9QEXr+Ot83k4vxUfTHjkaQat7
lT8XnIS7MzWXo33+gRfH9lZcCLZoLh60VqsrqBExgGRTfiYBRu+4fP2WxI3bFvyo
efCHKF9u2GnbuRuvv27Ml9KDlXilf28YdWNC894SlNgHWJlFH94R/rK/t7aSFUgt
QVP6oamh5TA=
=dqIB
-----END PGP SIGNATURE-----