Bug 25264

Assigning to the Gnome maintainers. CC'ing a recent submitter and also the registered maintainer.

Assignee: bugsquad => gnome
CC: (none) => cvargas, geiger.david68210, marja11

Ubuntu has issued an advisory on July 22:
https://usn.ubuntu.com/4067-1/

Only Mageia 6 is affected by this issue.

Summary: evince new security issue CVE-2019-11459 => evince new security issue CVE-2019-11459 and CVE-2019-1010006

Mageia 6 is EOL, removing CVE-2019-1010006 from the bug title.

The original issue is fixed upstream in 3.32.1 and 3.34.0, so Cauldron is OK.

RedHat has issued an advisory for this on November 5:
https://access.redhat.com/errata/RHSA-2019:3553

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7
Summary: evince new security issue CVE-2019-11459 and CVE-2019-1010006 => evince new security issue CVE-2019-11459
Source RPM: evince-3.32.0-3.mga8.src.rpm => evince-3.32.0-2.mga7.src.rpm
Status comment: (none) => Fixed upstream in 3.32.1

Suggested advisory:
========================

The updated packages fix a security vulnerability:

The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files. (CVE-2019-11459)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459
https://usn.ubuntu.com/3959-1/
https://access.redhat.com/errata/RHSA-2019:3553
========================

Updated packages in core/updates_testing:
========================
evince-3.32.1-1.mga7
evince-dvi-3.32.1-1.mga7
lib(64)evdocument3_4-3.32.1-1.mga7
lib(64)evview3_3-3.32.1-1.mga7
lib(64)evince-devel-3.32.1-1.mga7
lib(64)evince-gir3.0-3.32.1-1.mga7

from SRPMS:
evince-3.32.1-1.mga7.src.rpm

Assignee: gnome => qa-bugs
CVE: (none) => CVE-2019-11459
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

The following 5 packages are going to be installed:

- evince-3.32.1-1.mga7.x86_64
- glibc-2.29-19.mga7.x86_64
- lib64evdocument3_4-3.32.1-1.mga7.x86_64
- lib64evince-gir3.0-3.32.1-1.mga7.x86_64
- lib64evview3_3-3.32.1-1.mga7.x86_64

-- rebooted for glibc (not sure why that was added)

opened a set of pictures in a cbt file
pdf document

The application worked as designed.

Ran from terminal - no messages there.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

(In reply to Brian Rockwell from comment #5)
> The following 5 packages are going to be installed:
> 
> - evince-3.32.1-1.mga7.x86_64
> - glibc-2.29-19.mga7.x86_64
> - lib64evdocument3_4-3.32.1-1.mga7.x86_64
> - lib64evince-gir3.0-3.32.1-1.mga7.x86_64
> - lib64evview3_3-3.32.1-1.mga7.x86_64
> 
> -- rebooted for glibc (not sure why that was added)
> 
> opened a set of pictures in a cbt file
> pdf document
> 
> The application worked as designed.
> 
> Ran from terminal - no messages there.

This was run on 

$ uname -a
Linux linux.local 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Gnome desktop, VirtualBox VM.

Nicolas, another TIFF issue in Evince is CVE-2019-1010006:
https://lists.opensuse.org/opensuse-updates/2019-08/msg00095.html

Do we have the fix for that?

(In reply to David Walser from comment #7)
> Nicolas, another TIFF issue in Evince is CVE-2019-1010006:
> https://lists.opensuse.org/opensuse-updates/2019-08/msg00095.html
> 
> Do we have the fix for that?

According to what I found, that CVE only affects evince 3.26.x.

Well Gentlemen, do we let this go or not? My search agrees with Nicolas, but with my inexperience in such matters any results I have are unreliable, at best.

So it's up to you. I'm ready to validate, unless one of you objects.

CC: (none) => andrewsfarm

Go for it.

Thank you, David. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0355.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED