Ubuntu has issued an advisory on April 29:
Mageia 6 and Mageia 7 are also affected.
Assigning to the Gnome maintainers. CC'ing a recent submitter and also the registered maintainer.
cvargas, geiger.david68210, marja11
Ubuntu has issued an advisory on July 22:
Only Mageia 6 is affected by this issue.
evince new security issue CVE-2019-11459 =>
evince new security issue CVE-2019-11459 and CVE-2019-1010006
Mageia 6 is EOL, removing CVE-2019-1010006 from the bug title.
The original issue is fixed upstream in 3.32.1 and 3.34.0, so Cauldron is OK.
RedHat has issued an advisory for this on November 5:
MGA7TOO, MGA6TOO =>
evince new security issue CVE-2019-11459 and CVE-2019-1010006 =>
evince new security issue CVE-2019-11459Source RPM:
Fixed upstream in 3.32.1
The updated packages fix a security vulnerability:
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files. (CVE-2019-11459)
Updated packages in core/updates_testing:
The following 5 packages are going to be installed:
-- rebooted for glibc (not sure why that was added)
opened a set of pictures in a cbt file
The application worked as designed.
Ran from terminal - no messages there.
(In reply to Brian Rockwell from comment #5)
> The following 5 packages are going to be installed:
> - evince-3.32.1-1.mga7.x86_64
> - glibc-2.29-19.mga7.x86_64
> - lib64evdocument3_4-3.32.1-1.mga7.x86_64
> - lib64evince-gir3.0-3.32.1-1.mga7.x86_64
> - lib64evview3_3-3.32.1-1.mga7.x86_64
> -- rebooted for glibc (not sure why that was added)
> opened a set of pictures in a cbt file
> pdf document
> The application worked as designed.
> Ran from terminal - no messages there.
This was run on
$ uname -a
Linux linux.local 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Gnome desktop, VirtualBox VM.
Nicolas, another TIFF issue in Evince is CVE-2019-1010006:
Do we have the fix for that?
(In reply to David Walser from comment #7)
> Nicolas, another TIFF issue in Evince is CVE-2019-1010006:
> Do we have the fix for that?
According to what I found, that CVE only affects evince 3.26.x.
Well Gentlemen, do we let this go or not? My search agrees with Nicolas, but with my inexperience in such matters any results I have are unreliable, at best.
So it's up to you. I'm ready to validate, unless one of you objects.
Go for it.
Thank you, David. Validating. Advisory in Comment 4.
An update for this issue has been pushed to the Mageia Updates repository.