Bug 33282 - atril new security issue CVE-2023-52076
Summary: atril new security issue CVE-2023-52076
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-06-10 10:33 CEST by Nicolas Salguero
Modified: 2024-06-16 01:08 CEST (History)
6 users (show)

See Also:
Source RPM: atril-1.26.1-1.mga9.src.rpm
CVE: CVE-2023-52076
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-10 10:33:14 CEST 
Ubuntu has issued an advisory on June 5:
https://ubuntu.com/security/notices/USN-6808-1
Nicolas Salguero 2024-06-10 10:33:49 CEST

Status comment: (none) => Fixed upstream in 1.26.2 and patch available from upstream
Source RPM: (none) => atril-1.26.1-1.mga9.src.rpm
CVE: (none) => CVE-2023-52076

Nicolas Salguero 2024-06-10 10:34:13 CEST

Status comment: Fixed upstream in 1.26.2 and patch available from upstream => Fixed upstream in 1.26.2 and patch available from upstream and Ubuntu

Comment 1 Lewis Smith 2024-06-10 20:38:01 CEST 
This looks like the patches:
 Patches:
upstream: https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50 

Another to assign globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-06-13 13:53:14 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. (CVE-2023-52076)

References:
https://ubuntu.com/security/notices/USN-6808-1
========================

Updated packages in core/updates_testing:
========================
atril-1.26.1-1.1.mga9
atril-dvi-1.26.1-1.1.mga9
lib(64)atril3-1.26.1-1.1.mga9
lib(64)atril-devel-1.26.1-1.1.mga9
lib(64)atril-gir1.5.0-1.26.1-1.1.mga9

from SRPM:
atril-1.26.1-1.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.26.2 and patch available from upstream and Ubuntu => (none)
Status: NEW => ASSIGNED

katnatek 2024-06-13 19:44:53 CEST

Keywords: (none) => advisory

Comment 3 Ben McMonagle 2024-06-14 01:48:29 CEST 
x86_64

applied update.

invoke atril.

open PDF  and viewed - ok

CC: (none) => westel

Comment 4 Morgan Leijström 2024-06-14 15:32:34 CEST 
mga9-64 Plasma X11 nvidia-current

Opened a 360 page pdf multilingual chainsaw manual with text and graphics, print to Boomaga OK.

CC: (none) => fri

Comment 5 Herman Viaene 2024-06-14 17:49:14 CEST 
MGA9-64 Plasma Wayland on HP-Pavillon.
On selecting the packages in MCC Install SW from QARepo I get "Sorry, the following package cannot be selected:

- lib64atril-devel-1.26.1-1.1.mga9.x86_64"
Continuing test as this is not essential for the normal working of atril??
Opened different pdf files with some or more graphical contents, all displays OK.
Good enough for me, if some reasonable explanation is found for the devel package.

CC: (none) => herman.viaene

katnatek 2024-06-14 18:36:30 CEST

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2024-06-15 14:11:37 CEST 
@Herman: I downloaded the packages with qarepo, then used MCC for install. This MGA9-64 Plasma system did NOT have Atril installed previously. Selecting the devel package wanted a rather long list of dependencies, but was OK with it when I approved the list. I backed out without actually installing because I have no need for all those development packages on this system, then went back, and installed Atril without issues.

I have no idea why it was rejected on your system.
Comment 7 katnatek 2024-06-15 18:25:15 CEST 
(In reply to Thomas Andrews from comment #6)
> @Herman: I downloaded the packages with qarepo, then used MCC for install.
> This MGA9-64 Plasma system did NOT have Atril installed previously.
> Selecting the devel package wanted a rather long list of dependencies, but
> was OK with it when I approved the list. I backed out without actually
> installing because I have no need for all those development packages on this
> system, then went back, and installed Atril without issues.
> 
> I have no idea why it was rejected on your system.

I say that he miss a package I reproduce the issue not including lib64atril-gir1 but the popup window say why can't be selected

Once included I close and open again the rpmdrake aplication and I can see the same behaviour that you Thomas
Comment 8 Tony Blackwell 2024-06-15 23:25:00 CEST 
Installed uneventfully.
Opened a 242 page printer manual pdf with lots of diagrams/pics - handled normally

(OT: Noted comment 4.  360 page chainsaw manual.  What is the world coming to?)

CC: (none) => tablackwell

Comment 9 Morgan Leijström 2024-06-16 00:32:43 CEST 
Validating.

(In reply to Tony Blackwell from comment #8)
> 360 page chainsaw manual.  What is the world coming to?

After reading it, you realise the manual (thick if printed) is for exercising the chainsaw on - so you do not use it on the seller ;)   The carburetor setting screws need a special tool, which i needed to manufacture in my shop before i could trim it to work reliably...

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2024-06-16 01:08:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0224.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.