Bug 1730582 (CVE-2019-1010006)

Summary: CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c leads to DOS/possible code execution
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, feborges, gnome-sig, huzaifas, john.j5live, mclasen, mkasik, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: evince 3.27.91, evince 3.28.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-23 03:47:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1730584, 1731888    
Bug Blocks: 1730587    

Description Dhananjay Arunesh 2019-07-17 07:40:28 UTC 
Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code
execution. The component is: backend/tiff/tiff-document.c. The attack vector is:
Victin must open a crafted PDF file.

Reference:
http://bugzilla.maptools.org/show_bug.cgi?id=2745
Comment 1 Dhananjay Arunesh 2019-07-17 07:40:49 UTC 
Created evince tracking bugs for this issue:

Affects: fedora-all [bug 1730584]
Comment 2 Marek Kašík 2019-07-18 14:09:56 UTC 
This was fixed in 3.28 according to the upstream bug. Are you able to reproduce this on a supported version of Fedora? I see some artefacts due to wrong sizes but no invalid write.
Comment 3 Huzaifa S. Sidhpurwala 2019-07-19 10:04:57 UTC 
In reply to comment #2:
> This was fixed in 3.28 according to the upstream bug. Are you able to
> reproduce this on a supported version of Fedora? I see some artefacts due to
> wrong sizes but no invalid write.

I am not able to reproduce this on evince-3.32.0-3.fc30.x86_64, the pdf does not render at all, but no invalid writes etc.
Comment 4 Huzaifa S. Sidhpurwala 2019-07-22 09:44:35 UTC 
Upstream commits: 

https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4
https://gitlab.gnome.org/GNOME/evince/commit/e02fe91

Both of these commits are part of evince-3.27.91 etc.