Debian Security Advisory

DSA-4624-1 evince -- security update

Date Reported:
14 Feb 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 927820.
In Mitre's CVE dictionary: CVE-2017-1000159, CVE-2019-11459, CVE-2019-1010006.
More information:

Several vulnerabilities were discovered in evince, a simple multi-page document viewer.

  • CVE-2017-1000159

    Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames.

  • CVE-2019-11459

    Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files.

  • CVE-2019-1010006

    A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened.

For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to its security tracker page at: