Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3097 [SECURITY] [DLA 1882-1] atril security update 14 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: atril Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-1010006 CVE-2019-11459 CVE-2017-1000159 Reference: ESB-2019.3006.2 ESB-2019.2947 ESB-2019.2735 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/08/msg00014.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : atril Version : 1.8.1+dfsg1-4+deb8u2 CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006 A few issues were found in Atril, the MATE document viewer. CVE-2017-1000159 When printing from DVI to PDF, the dvipdfm tool was called without properly sanitizing the filename, which could lead to a command injection attack via the filename. CVE-2019-11459 The tiff_document_render() and tiff_document_get_thumbnail() did not check the status of TIFFReadRGBAImageOriented(), leading to uninitialized memory access if that funcion fails. CVE-2019-1010006 Some buffer overflow checks were not properly done, leading to application crash or possibly arbitrary code execution when opening maliciously crafted files. For Debian 8 "Jessie", these problems have been fixed in version 1.8.1+dfsg1-4+deb8u2. We recommend that you upgrade your atril packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl1Sr7sACgkQnUbEiOQ2 gwLLDA//TEu8+dtgHdyxsQ1/QbND4tQzkZmxnwuLXslnJKDYhivUO0119f/gJuW8 bfzN0bBJ+A+j19kkY1RXp2ZNIEj4vXSKiw+he8vDY8jzMe/jflA7n9ot2faX0an3 FFeGC6gpcfYi3O/YDFV4Bs8wDKaWIlwmd3FvRfBQggRtnlNUMTkTymkA6ZyViCrO uCTSKG9eEpx63wUVUTLASC+t5XpUNEcgCI1CZ3jxWoHMU8o4USRecDoyxPBQ3LJy 1uya0IZXMW7+qr2CuQGW5py5h/LAmyoaIEGA+a4+MnuoYn9pBRSI1KQ9bTFNcJiw PO0ReSrVVbwZsZYCvfGDJlNEEAGbEMjdSvKB9q5peOrkoIxMQnw9a2rwLWgOeY8v TfEct4YwUI0Em75J3ltW6wJzdxeJs485UqxqZDrDzDt5FmxQI0y0vDWBoF127Bzx EaG5RG3fTDIkwKJjsq3z3ttxYrHWQE3oGzfuIPXc5vKJ++OuktXeTXbPMVE+/QZX sdxc7gnS0Nzfbnu33GDE80rgQNjRQI4gPJc4cJyVGBis3DOGk4jKpVZOuR2m1Pob +B+7EPla4DZVT04XfhVSwDdhlwtBdTHSZqLTtZNAPvcSuiGJLd6X8hTD6K5tl6Tj nbc1QdDGaRURAntkSOBla/REbIc1gUSfTMBaCWRsQ2sPer3dRvs= =y+9p - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVNchmaOgq3Tt24GAQg+Qg/8CdDhqg/ZB29fDRulURqBZnN87DpNMzWc mxmfxr8/me9KfJZsOoWA2TcDSkhTHhlnAr3M36J3WISUILROc0OSFmdzyh9OIUIB KX4ufu5rhJ9Dbe0SZT9vJK8OUf04XEBysJnFHby82gxNnDXLeCk6sBxkXjReIcJU /XkgQ+Q3nO9kBc2ceQIE+i21qnNRlGWdBLYMY+XwsYw2EKGWggdLr3LMIuOZ8pA+ 8u/iB8BPdY8LH0AidIOmLJtEee/F+SygeUGNIC78TN9G81sByGALuhfdjqA7z4uT VcD/3nf1Ebpop6G6R493LhA8bcmg0jLiY0AvSONPgCj9OMyX1zUqw1yy3gmwJ1Y7 nxSxciOv3sEo2mFovLLnqN+uy84IfnD1CLuXxyuHMpfxD1pbV3qyAlck5WWKaZHI SsjFyeZQB1ajygXCfwTu/dsQOFwjAwFQWkMgRXMmzBjaPXIhvEwG/S7+0ilpXrqK 8yJh16WjhBNvutGMr5u6VEdj5aZgoOt9XdYD6QR3qOYO3Q22POeWq1Cu8wZk9v5H RAl3eOLaEyYBYmiU1oUZm7pc8VtWiwVflhrggtzwA8c1O9XlnPN1hHcmL6bW8gus y4WdfEDalB2/cKjkRiSF+s7yVmABpsAmZBMoGZmZz9AMORyDoYOBXD3g+gxu9P5u 3b6wJs85rfE= =/lP7 -----END PGP SIGNATURE-----