Security Information / 2020 / Security Information -- DSA-4624-1 evince

Debian Security Advisory

DSA-4624-1 evince -- security update

Date Reported:

14 Feb 2020

Affected Packages:

evince

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 927820.
In Mitre's CVE dictionary: CVE-2017-1000159, CVE-2019-11459, CVE-2019-1010006.

More information:

Several vulnerabilities were discovered in evince, a simple multi-page document viewer.

• CVE-2017-1000159

  Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames.

• CVE-2019-11459

  Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files.

• CVE-2019-1010006

  A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened.

For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to its security tracker page at: https://security-tracker.debian.org/tracker/evince