Control: fixed -1 1.22.2-1
Control: close -1
Hi Salvatore,
On Tue, 23 Apr 2019 21:52:39 +0200 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: evince
> Version: 3.30.2-3
> Severity: important
> Tags: security upstream
> Control: clone -1 -2
> Control: reassign -2 src:atril 1.20.3-1
> Control: retitle -2 atril: CVE-2019-11459: Uninitialized memory read
> Control: forwarded -1 https://gitlab.gnome.org/GNOME/evince/issues/1129
>
> Hi,
>
> The following vulnerability was published for evince (and same issue
> in atril, thus cloning the bug).
>
> CVE-2019-11459[0]:
> | The tiff_document_render() and tiff_document_get_thumbnail() functions
> | in the TIFF document backend in GNOME Evince through 3.32.0 did not
> | handle errors from TIFFReadRGBAImageOriented(), leading to
> | uninitialized memory use when processing certain TIFF image files.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-11459
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
> [1] https://gitlab.gnome.org/GNOME/evince/issues/1129
>
> Please adjust the affected versions in the BTS as needed.
This issue got resolved for src:atril in unstable with upload of atril
1.22.2-1.
I have updated the package's debian/changelog file, so that the CVE
closure will be visible for 1.22.2-1 with upload of 1.22.3-1.
Greets,
Mike
