Operating System:

[Debian]

Published:

14 August 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3097
               [SECURITY] [DLA 1882-1] atril security update
                              14 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           atril
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1010006 CVE-2019-11459 CVE-2017-1000159

Reference:         ESB-2019.3006.2
                   ESB-2019.2947
                   ESB-2019.2735

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/08/msg00014.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : atril
Version        : 1.8.1+dfsg1-4+deb8u2
CVE ID         : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006

A few issues were found in Atril, the MATE document viewer.

CVE-2017-1000159

    When printing from DVI to PDF, the dvipdfm tool was called without
    properly sanitizing the filename, which could lead to a command
    injection attack via the filename.

CVE-2019-11459

    The tiff_document_render() and tiff_document_get_thumbnail() did
    not check the status of TIFFReadRGBAImageOriented(), leading to
    uninitialized memory access if that funcion fails.

CVE-2019-1010006

    Some buffer overflow checks were not properly done, leading to
    application crash or possibly arbitrary code execution when
    opening maliciously crafted files.

For Debian 8 "Jessie", these problems have been fixed in version
1.8.1+dfsg1-4+deb8u2.

We recommend that you upgrade your atril packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl1Sr7sACgkQnUbEiOQ2
gwLLDA//TEu8+dtgHdyxsQ1/QbND4tQzkZmxnwuLXslnJKDYhivUO0119f/gJuW8
bfzN0bBJ+A+j19kkY1RXp2ZNIEj4vXSKiw+he8vDY8jzMe/jflA7n9ot2faX0an3
FFeGC6gpcfYi3O/YDFV4Bs8wDKaWIlwmd3FvRfBQggRtnlNUMTkTymkA6ZyViCrO
uCTSKG9eEpx63wUVUTLASC+t5XpUNEcgCI1CZ3jxWoHMU8o4USRecDoyxPBQ3LJy
1uya0IZXMW7+qr2CuQGW5py5h/LAmyoaIEGA+a4+MnuoYn9pBRSI1KQ9bTFNcJiw
PO0ReSrVVbwZsZYCvfGDJlNEEAGbEMjdSvKB9q5peOrkoIxMQnw9a2rwLWgOeY8v
TfEct4YwUI0Em75J3ltW6wJzdxeJs485UqxqZDrDzDt5FmxQI0y0vDWBoF127Bzx
EaG5RG3fTDIkwKJjsq3z3ttxYrHWQE3oGzfuIPXc5vKJ++OuktXeTXbPMVE+/QZX
sdxc7gnS0Nzfbnu33GDE80rgQNjRQI4gPJc4cJyVGBis3DOGk4jKpVZOuR2m1Pob
+B+7EPla4DZVT04XfhVSwDdhlwtBdTHSZqLTtZNAPvcSuiGJLd6X8hTD6K5tl6Tj
nbc1QdDGaRURAntkSOBla/REbIc1gUSfTMBaCWRsQ2sPer3dRvs=
=y+9p
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXVNchmaOgq3Tt24GAQg+Qg/8CdDhqg/ZB29fDRulURqBZnN87DpNMzWc
mxmfxr8/me9KfJZsOoWA2TcDSkhTHhlnAr3M36J3WISUILROc0OSFmdzyh9OIUIB
KX4ufu5rhJ9Dbe0SZT9vJK8OUf04XEBysJnFHby82gxNnDXLeCk6sBxkXjReIcJU
/XkgQ+Q3nO9kBc2ceQIE+i21qnNRlGWdBLYMY+XwsYw2EKGWggdLr3LMIuOZ8pA+
8u/iB8BPdY8LH0AidIOmLJtEee/F+SygeUGNIC78TN9G81sByGALuhfdjqA7z4uT
VcD/3nf1Ebpop6G6R493LhA8bcmg0jLiY0AvSONPgCj9OMyX1zUqw1yy3gmwJ1Y7
nxSxciOv3sEo2mFovLLnqN+uy84IfnD1CLuXxyuHMpfxD1pbV3qyAlck5WWKaZHI
SsjFyeZQB1ajygXCfwTu/dsQOFwjAwFQWkMgRXMmzBjaPXIhvEwG/S7+0ilpXrqK
8yJh16WjhBNvutGMr5u6VEdj5aZgoOt9XdYD6QR3qOYO3Q22POeWq1Cu8wZk9v5H
RAl3eOLaEyYBYmiU1oUZm7pc8VtWiwVflhrggtzwA8c1O9XlnPN1hHcmL6bW8gus
y4WdfEDalB2/cKjkRiSF+s7yVmABpsAmZBMoGZmZz9AMORyDoYOBXD3g+gxu9P5u
3b6wJs85rfE=
=/lP7
-----END PGP SIGNATURE-----