Bug#1061522: marked as done (atril: CVE-2023-52076)
Your message dated Tue, 30 Jan 2024 13:34:28 +0000
with message-id <E1rUoFw-00AzP3-Ay@fasolo.debian.org>
and subject line Bug#1061522: fixed in atril 1.26.2-1
has caused the Debian Bug report #1061522,
regarding atril: CVE-2023-52076
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1061522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061522
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: atril
Version: 1.26.1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for atril.
CVE-2023-52076[0]:
| Atril Document Viewer is the default document reader of the MATE
| desktop environment for Linux. A path traversal and arbitrary file
| write vulnerability exists in versions of Atril prior to 1.26.2.
| This vulnerability is capable of writing arbitrary files anywhere on
| the filesystem to which the user opening a crafted document has
| access. The only limitation is that this vulnerability cannot be
| exploited to overwrite existing files, but that doesn't stop an
| attacker from achieving Remote Command Execution on the target
| system. Version 1.26.2 of Atril contains a patch for this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-52076
https://www.cve.org/CVERecord?id=CVE-2023-52076
[1] https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
[2] https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.26.2-1
Done: Mike Gabriel <sunweaver@debian.org>
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1061522@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jan 2024 14:03:41 +0100
Source: atril
Architecture: source
Version: 1.26.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1061522
Changes:
atril (1.26.2-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2023-52076: epub: Prevent path traversal when extracting files.
(Closes: #1061522).
* debian/patches:
+ Drop 0001-Use-a-blank-line-at-most.patch, 0002-comics-Use-libarchive-to-
unpack-documents.patch and 1001-webkit2gtk4.1.patch, rebase 1002-avoid-
crash-on-certain-epub-files.patch.
* debian/copyright:
+ Update copyright attribution for debian/.
Checksums-Sha1:
8fc7ad532a3a75ab7b6668f2a46460d64bc7ef5d 3111 atril_1.26.2-1.dsc
887b2af873ff3d5f1a6863a461fcba887c5459c1 1446416 atril_1.26.2.orig.tar.xz
4b9fef92673454f9aa3bd1dacd975c27ac6d7973 20440 atril_1.26.2-1.debian.tar.xz
eced77cf64f0e9bfea097ab76c44f86b7b06a869 17679 atril_1.26.2-1_source.buildinfo
Checksums-Sha256:
7555a183d1666e6825966423c9a1fc0fb7711d02d3c0db8554c8126a7a8fbfa9 3111 atril_1.26.2-1.dsc
e3638b52552ea7cd71db81602ffecd2d39b99eab46336eaec11b30e6f5b475af 1446416 atril_1.26.2.orig.tar.xz
e4291057a99b1958e7874710424b96aee9ac9db14d79542d931830c1b9db855f 20440 atril_1.26.2-1.debian.tar.xz
7ed76e05c0e283eb137bc97f19b9a47d67ec0ddb1d076a1719a53d3e392edaa1 17679 atril_1.26.2-1_source.buildinfo
Files:
b2ceb1da438fe85bcedcbb49cab27621 3111 x11 optional atril_1.26.2-1.dsc
e020f5af934b90705bd69146c89f3577 1446416 x11 optional atril_1.26.2.orig.tar.xz
38b806e856e0c6e3cd45279ceca025da 20440 x11 optional atril_1.26.2-1.debian.tar.xz
0a92dfac63080892588d31d1198cd311 17679 x11 optional atril_1.26.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmW493IVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxJ1QP/07C2LDgTUmOlq7x99T0C4qCaeQ2
au+Sja/NsgWNgMUWgnZHGkk3VKEeo5ldg8SCnXhteUEV7PyrGoyYk5yxnK1MjUBp
UpRcczd8u9iW1EZYrWEZ8EigKBN9egiScL2JCdIuKDIusPmxBxkL2F4AIrXqNFkr
cdrOgx6mX+rmMjTjRbBnsT0ffLu7c1TLkMdPVbBa7WruNEh2o8JmPy7419lNBI99
P3waBMNwVvGAb9zsvZYJlplbqi5T7HOrxQr8heSS2xOYHt4yCmYxnNdceGwZJMhE
AKF0TGnYEE22zOyFGo4VoXKyx3N5Rjj5mrLpHE84MtDB3oq/KglMc4wUb676PWgc
jb+nSk/UOhP2aZ1taVHbQCMbIeFnsEVn98oAvfxFcHdf5ir5yNKJyTS10VmihhgK
Yf/a7j653pk8u/awsZYGF3l0hiGXaRhq/YBzIIge/qnzfUkfjXpdjhL19H8ODwxf
eOT27uBEj82a4HsZNzzjS8WsXuWUECUtZPej+8l6llkA8deng9sMJcdyyN80LCXd
p6QiWX1wBAomJXWf/h8eS3lKdWRppDTudIR13q0qv5x4MdMPQGMabXVtYToEMvu5
EEfUjqR8w1iJSFNUevgI7n5yfMD6DcvAEpV/CI8FkXwN2HbuQTacgp4Kk3QtzExB
r+AYwQEEevNFY5JE
=Gyy/
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: