[SECURITY] [DLA 1882-1] atril security update

2019-08-1312:40:27

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

56.9%

JSON

Package : atril
Version : 1.8.1+dfsg1-4+deb8u2
CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006

A few issues were found in Atril, the MATE document viewer.

CVE-2017-1000159

When printing from DVI to PDF, the dvipdfm tool was called without
properly sanitizing the filename, which could lead to a command
injection attack via the filename.

CVE-2019-11459

The tiff_document_render() and tiff_document_get_thumbnail() did
not check the status of TIFFReadRGBAImageOriented(), leading to
uninitialized memory access if that funcion fails.

CVE-2019-1010006

Some buffer overflow checks were not properly done, leading to
application crash or possibly arbitrary code execution when
opening maliciously crafted files.

For Debian 8 "Jessie", these problems have been fixed in version
1.8.1+dfsg1-4+deb8u2.

We recommend that you upgrade your atril packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9mipsbrowser-plugin-evince-dbgsym< 3.22.1-3+deb9u2browser-plugin-evince-dbgsym_3.22.1-3+deb9u2_mips.deb
Debian9ppc64elevince-gtk< 3.22.1-3+deb9u2evince-gtk_3.22.1-3+deb9u2_ppc64el.deb
Debian9armhfevince-dbgsym< 3.22.1-3+deb9u2evince-dbgsym_3.22.1-3+deb9u2_armhf.deb
Debian10ppc64elgir1.2-atrildocument-1.5.0< 1.20.3-1+deb10u1gir1.2-atrildocument-1.5.0_1.20.3-1+deb10u1_ppc64el.deb
Debian10mipsgir1.2-atril< 1.20.3-1+deb10u1gir1.2-atril_1.20.3-1+deb10u1_mips.deb
Debian8armellibevdocument3-4< 3.14.1-2+deb8u3libevdocument3-4_3.14.1-2+deb8u3_armel.deb
Debian9mipselevince< 3.22.1-3+deb9u2evince_3.22.1-3+deb9u2_mipsel.deb
Debian9i386libevdocument3-4-dbgsym< 3.22.1-3+deb9u2libevdocument3-4-dbgsym_3.22.1-3+deb9u2_i386.deb
Debian9mipsellibatrildocument-dev< 1.16.1-2+deb9u2libatrildocument-dev_1.16.1-2+deb9u2_mipsel.deb
Debian8i386libatrilview3-dbg< 1.8.1+dfsg1-4+deb8u2libatrilview3-dbg_1.8.1+dfsg1-4+deb8u2_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	mips	browser-plugin-evince-dbgsym	< 3.22.1-3+deb9u2	browser-plugin-evince-dbgsym_3.22.1-3+deb9u2_mips.deb
Debian	9	ppc64el	evince-gtk	< 3.22.1-3+deb9u2	evince-gtk_3.22.1-3+deb9u2_ppc64el.deb
Debian	9	armhf	evince-dbgsym	< 3.22.1-3+deb9u2	evince-dbgsym_3.22.1-3+deb9u2_armhf.deb
Debian	10	ppc64el	gir1.2-atrildocument-1.5.0	< 1.20.3-1+deb10u1	gir1.2-atrildocument-1.5.0_1.20.3-1+deb10u1_ppc64el.deb
Debian	10	mips	gir1.2-atril	< 1.20.3-1+deb10u1	gir1.2-atril_1.20.3-1+deb10u1_mips.deb
Debian	8	armel	libevdocument3-4	< 3.14.1-2+deb8u3	libevdocument3-4_3.14.1-2+deb8u3_armel.deb
Debian	9	mipsel	evince	< 3.22.1-3+deb9u2	evince_3.22.1-3+deb9u2_mipsel.deb
Debian	9	i386	libevdocument3-4-dbgsym	< 3.22.1-3+deb9u2	libevdocument3-4-dbgsym_3.22.1-3+deb9u2_i386.deb
Debian	9	mipsel	libatrildocument-dev	< 1.16.1-2+deb9u2	libatrildocument-dev_1.16.1-2+deb9u2_mipsel.deb
Debian	8	i386	libatrilview3-dbg	< 1.8.1+dfsg1-4+deb8u2	libatrilview3-dbg_1.8.1+dfsg1-4+deb8u2_i386.deb