1730582 – (CVE-2019-1010006) CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c leads to DOS/possible code execution

Bug 1730582 (CVE-2019-1010006) - CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c leads to DOS/possible code execution

Summary: CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c lead...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-1010006
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1730584 1731888
Blocks:	1730587
TreeView+	depends on / blocked

Reported:	2019-07-17 07:40 UTC by Dhananjay Arunesh
Modified:	2019-09-29 15:17 UTC (History)
CC List:	10 users (show)
Fixed In Version:	evince 3.27.91, evince 3.28.0
Clone Of:
Environment:
Last Closed:	2019-07-23 03:47:54 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-07-17 07:40:28 UTC

Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code
execution. The component is: backend/tiff/tiff-document.c. The attack vector is:
Victin must open a crafted PDF file.

Reference:
http://bugzilla.maptools.org/show_bug.cgi?id=2745

Comment 1 Dhananjay Arunesh 2019-07-17 07:40:49 UTC

Created evince tracking bugs for this issue:

Affects: fedora-all [bug 1730584]

Comment 2 Marek Kašík 2019-07-18 14:09:56 UTC

This was fixed in 3.28 according to the upstream bug. Are you able to reproduce this on a supported version of Fedora? I see some artefacts due to wrong sizes but no invalid write.

Comment 3 Huzaifa S. Sidhpurwala 2019-07-19 10:04:57 UTC

In reply to comment #2:
> This was fixed in 3.28 according to the upstream bug. Are you able to
> reproduce this on a supported version of Fedora? I see some artefacts due to
> wrong sizes but no invalid write.

I am not able to reproduce this on evince-3.32.0-3.fc30.x86_64, the pdf does not render at all, but no invalid writes etc.

Comment 4 Huzaifa S. Sidhpurwala 2019-07-22 09:44:35 UTC

Upstream commits: 

https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4
https://gitlab.gnome.org/GNOME/evince/commit/e02fe91

Both of these commits are part of evince-3.27.91 etc.

Note You need to log in before you can comment on or make changes to this bug.