Debian Security Advisory
DLA-1881-1 evince -- LTS security update
- Date Reported:
- 13 Aug 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-1000159, CVE-2019-11459, CVE-2019-1010006.
- More information:
A few issues were found in the Evince document viewer.
When printing from DVI to PDF, the dvipdfm tool was called without properly sanitizing the filename, which could lead to a command injection attack via the filename.
The tiff_document_render() and tiff_document_get_thumbnail() did not check the status of TIFFReadRGBAImageOriented(), leading to uninitialized memory access if that funcion fails.
Some buffer overflow checks were not properly done, leading to application crash or possibly arbitrary code execution when opening maliciously crafted files.
For Debian 8
Jessie, these problems have been fixed in version 3.14.1-2+deb8u3.
We recommend that you upgrade your evince packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS