Bug 1730582 (CVE-2019-1010006) - CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c leads to DOS/possible code execution
Summary: CVE-2019-1010006 evince: buffer overflow in backend/tiff/tiff-document.c lead...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-1010006
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1730584 1731888
Blocks: 1730587
TreeView+ depends on / blocked
 
Reported: 2019-07-17 07:40 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:17 UTC (History)
10 users (show)

Fixed In Version: evince 3.27.91, evince 3.28.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-23 03:47:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-17 07:40:28 UTC
Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code
execution. The component is: backend/tiff/tiff-document.c. The attack vector is:
Victin must open a crafted PDF file.

Reference:
http://bugzilla.maptools.org/show_bug.cgi?id=2745

Comment 1 Dhananjay Arunesh 2019-07-17 07:40:49 UTC
Created evince tracking bugs for this issue:

Affects: fedora-all [bug 1730584]

Comment 2 Marek Kašík 2019-07-18 14:09:56 UTC
This was fixed in 3.28 according to the upstream bug. Are you able to reproduce this on a supported version of Fedora? I see some artefacts due to wrong sizes but no invalid write.

Comment 3 Huzaifa S. Sidhpurwala 2019-07-19 10:04:57 UTC
In reply to comment #2:
> This was fixed in 3.28 according to the upstream bug. Are you able to
> reproduce this on a supported version of Fedora? I see some artefacts due to
> wrong sizes but no invalid write.

I am not able to reproduce this on evince-3.32.0-3.fc30.x86_64, the pdf does not render at all, but no invalid writes etc.

Comment 4 Huzaifa S. Sidhpurwala 2019-07-22 09:44:35 UTC
Upstream commits: 

https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4
https://gitlab.gnome.org/GNOME/evince/commit/e02fe91

Both of these commits are part of evince-3.27.91 etc.


Note You need to log in before you can comment on or make changes to this bug.