Debian Bug report logs -
#868500
atril: CVE-2017-1000083
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 16 Jul 2017 06:21:02 UTC
Severity: grave
Tags: fixed-upstream, jessie, patch, security, stretch, upstream
Found in versions atril/1.8.1+dfsg1-4, atril/1.16.1-2
Fixed in versions atril/1.16.1-2+deb9u1, atril/1.8.1+dfsg1-4+deb8u1, atril/1.16.1-2.1
Done: Santiago Ruano Rincón <santiagorr@riseup.net>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/mate-desktop/atril/issues/257
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
:
Bug#868500
; Package src:atril
.
(Sun, 16 Jul 2017 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
.
(Sun, 16 Jul 2017 06:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: atril
Version: 1.16.1-2
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following vulnerability was published for atril.
CVE-2017-1000083[0]:
Evince command injection vulnerability in CBT handler
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000083
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions atril/1.8.1+dfsg1-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 16 Jul 2017 06:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
:
Bug#868500
; Package src:atril
.
(Tue, 18 Jul 2017 13:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Ruano Rincón <santiagorr@riseup.net>
:
Extra info received and forwarded to list. Copy sent to MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
.
(Tue, 18 Jul 2017 13:24:02 GMT) (full text, mbox, link).
Message #12 received at 868500@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
On Sun, 16 Jul 2017 08:19:43 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
...
> the following vulnerability was published for atril.
>
> CVE-2017-1000083[0]:
> Evince command injection vulnerability in CBT handler
...
Please, find attached the patch backported from evince's fix.
Cheers,
-- Santiago
[1-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Santiago Ruano Rincón <santiagorr@riseup.net>
to 868500-submit@bugs.debian.org
.
(Tue, 18 Jul 2017 13:24:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
:
Bug#868500
; Package src:atril
.
(Fri, 21 Jul 2017 21:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <sunweaver@debian.org>
:
Extra info received and forwarded to list. Copy sent to MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
.
(Fri, 21 Jul 2017 21:30:02 GMT) (full text, mbox, link).
Message #19 received at 868500@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fr 21 Jul 2017 12:01:13 CEST, Santiago Ruano Rincón wrote:
> El 21/07/17 a las 09:50, Mike Gabriel escribió:
>> Hi Santiago,
>>
>> On Fr 21 Jul 2017 11:46:08 CEST, Santiago Ruano Rincón wrote:
>>
>> > Hi,
>> >
>> > El 20/07/17 a las 21:50, Salvatore Bonaccorso escribió:
>> > > Hi Santiago
>> > >
>> > > On Wed, Jul 19, 2017 at 03:05:29PM +0200, Santiago Ruano Rincón wrote:
>> > > > El 18/07/17 a las 15:21, Santiago Ruano Rincón escribió:
>> > > > > Control: tags -1 + patch
>> > > > >
>> > > > > On Sun, 16 Jul 2017 08:19:43 +0200 Salvatore Bonaccorso
>
> […]
>
>>
>> Please provide the .debdiff of your upload with the original bug report, so
>> we can weave it into the packaging Git.
>
> Sorry, here it is.
>
> Santiago
Thanks! Git has been updated for the 1.16.1-2.1 upload.
Mike
--
mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
:
Bug#868500
; Package src:atril
.
(Sat, 22 Jul 2017 01:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to ZenWalker <scow@riseup.net>
:
Extra info received and forwarded to list. Copy sent to MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
.
(Sat, 22 Jul 2017 01:03:03 GMT) (full text, mbox, link).
Message #24 received at 868500@bugs.debian.org (full text, mbox, reply):
we don't need to remove the tar support
it was fixed in the upstream with this patch:
https://github.com/mate-desktop/atril/commit/f4291fd62f7dfe6460d2406a979ccfac0c68dd59.patch
Added tag(s) jessie, stretch, upstream, and fixed-upstream.
Request was from ZenWalker <scow@riseup.net>
to control@bugs.debian.org
.
(Sat, 22 Jul 2017 01:09:04 GMT) (full text, mbox, link).
Reply sent
to Santiago Ruano Rincón <santiagorr@riseup.net>
:
You have taken responsibility.
(Sat, 22 Jul 2017 21:22:45 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 22 Jul 2017 21:22:45 GMT) (full text, mbox, link).
Message #33 received at 868500-close@bugs.debian.org (full text, mbox, reply):
Source: atril
Source-Version: 1.16.1-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiagorr@riseup.net> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Jul 2017 06:59:09 +0200
Source: atril
Binary: atril atril-common libatrilview3 libatrilview-dev libatrildocument3 libatrildocument-dev gir1.2-atril
Architecture: source
Version: 1.16.1-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Description:
atril - MATE document viewer
atril-common - MATE document viewer (common files)
gir1.2-atril - GObject introspection data for Atril
libatrildocument-dev - MATE document rendering library (development files)
libatrildocument3 - MATE document rendering library
libatrilview-dev - MATE document viewing library (development files)
libatrilview3 - MATE document viewing library
Closes: 868500
Changes:
atril (1.16.1-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload
* Add 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083
(Closes: #868500)
Checksums-Sha1:
b81cba34e81a6a31363922d52c419e32290682e2 2890 atril_1.16.1-2+deb9u1.dsc
5ee0a110b6ecacde4bdfaaa35cad197a3ddcc56c 1305180 atril_1.16.1.orig.tar.xz
6fbe08895066f5ce31b4d4c924a5bb4dc0e5bf21 15332 atril_1.16.1-2+deb9u1.debian.tar.xz
e33bc6c37b640de627fdfc0b5cad032327485aa9 16006 atril_1.16.1-2+deb9u1_source.buildinfo
Checksums-Sha256:
aa61dec257dbca8b9fe578220448f9cbb1c087838dc3fb7e0e6198db789cf692 2890 atril_1.16.1-2+deb9u1.dsc
7d0017af51933411466785a342bcc8b216df45b6a934d73d5773dae211bae4a3 1305180 atril_1.16.1.orig.tar.xz
4a9a2a6a8cbe4dc45642257f55511f2525615a5cc163672b21c0d72cbc5fa3f2 15332 atril_1.16.1-2+deb9u1.debian.tar.xz
cf62f32e74f54acb36a8a8b8ce4d77f292f6a1b2987a40297cac7542d55351dc 16006 atril_1.16.1-2+deb9u1_source.buildinfo
Files:
a34072c83c2f8bd616632d7e73d8b786 2890 x11 optional atril_1.16.1-2+deb9u1.dsc
5b420e04cf3eabc8fbe50ad02743c956 1305180 x11 optional atril_1.16.1.orig.tar.xz
8141a230b45676265d84ee0798052a64 15332 x11 optional atril_1.16.1-2+deb9u1.debian.tar.xz
90f0fed33739c5fab26b5824bad9d4d5 16006 x11 optional atril_1.16.1-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZBjBLN3JFZ8LzvKD3m/9uMjWSL0FAllxxwwACgkQ3m/9uMjW
SL1d7w//e38mg1/jakNmn3jF00bQJ7QpZTK0ZkwAghFtFi5FX5MY4l3Xv/pBNeot
axrFcbjLkU9C+9zK5iVPnBUyvPhsAgAFiEd51R62bduSuZYMIvj6EdHAn1PeaxJL
m6OEeRJhQg+DBG6Ys+8zdPz/h7AdkdTJnTiH+T+w4gpywJ4WfzwDZPJQ29BYZ8lM
jTWi3pOoI0Q2ZvwN1d40aNS1PkbrjKxT3pVHSoLZyoTnMvlJdgivuRIIe2NC5hqf
H25Pi3OxRYqogPLMzKES5CaVvaAaBLu2rgSMVG/PL+jhyPRGEFylMgqK0/UH72vE
lgOfHYjRgx7DAsrlj1GewjxbpX8ndwx4AArM1qtUuQDvovfY8/yqEKSTilcMdaMM
njhexh9r7iR7YmgA+vsa6JyscajAMO+cdrhkhyPLdLIe6EW2RgzFNMKBBD+pCt+v
9EUIlNYS3VvGBz8sFM2v3WeTSC03QZR+YO1FclT6wx6Zs+IHSv3yKmS/AZyqkrmb
xb2n475YJNt/v10dYiEasV+iw2/G3uNYZTclDzvqsLJ1BMFp9qj0zp5D2GVi/S4d
dKm/rUEPn3wyUVCmmvNQHZbQJxMNwtmLQIpxztJ9bNFFziLRh40j1YNDBnPDx6t4
o2egynL3I2iyYxCyBU+2B/cQI7OQWeXly9sIG+KwUbls/c1RBlI=
=7Zr4
-----END PGP SIGNATURE-----
Reply sent
to Santiago Ruano Rincón <santiagorr@riseup.net>
:
You have taken responsibility.
(Sat, 22 Jul 2017 21:22:47 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 22 Jul 2017 21:22:47 GMT) (full text, mbox, link).
Message #38 received at 868500-close@bugs.debian.org (full text, mbox, reply):
Source: atril
Source-Version: 1.8.1+dfsg1-4+deb8u1
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiagorr@riseup.net> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Jul 2017 07:00:08 +0200
Source: atril
Binary: atril atril-dbg atril-common libatrilview3 libatrilview-dev libatrilview3-dbg libatrildocument3 libatrildocument-dev libatrildocument3-dbg
Architecture: source all amd64
Version: 1.8.1+dfsg1-4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Description:
atril - MATE document viewer
atril-common - MATE document viewer (common files)
atril-dbg - MATE document viewer (debugging symbols)
libatrildocument-dev - MATE document rendering library (development files)
libatrildocument3 - MATE document rendering library
libatrildocument3-dbg - MATE document rendering library (debugging symbols)
libatrilview-dev - MATE document viewing library (development files)
libatrilview3 - MATE document viewing library
libatrilview3-dbg - MATE document viewing library (debugging symbols)
Closes: 868500
Changes:
atril (1.8.1+dfsg1-4+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload
* Add 0003-CVE-2017-1000083-evince-comics-remove-tar-commands-support-3-10-3.patch
Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083
(Closes: #868500)
Checksums-Sha1:
ac1da8eefdb9b260dda5f96c0de7a81773677f5e 2978 atril_1.8.1+dfsg1-4+deb8u1.dsc
1373d4119fe224d8a6515fd3a4d8a56f0ef00c4a 894092 atril_1.8.1+dfsg1.orig.tar.xz
ba2ad685871ed1945ba37be7d13bbdba288bdb35 13984 atril_1.8.1+dfsg1-4+deb8u1.debian.tar.xz
952f6bbbf2a53a3b2be82ca75ba1c44682cb7149 392578 atril-common_1.8.1+dfsg1-4+deb8u1_all.deb
028c84784badc4076afa4da1b330a572bc1d50a7 152518 atril_1.8.1+dfsg1-4+deb8u1_amd64.deb
84b03b9d6eb44c2574c44e8aa1b5cc569d785785 705828 atril-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
bceb347659f0684a6e9a46d343e1698437c892df 94126 libatrilview3_1.8.1+dfsg1-4+deb8u1_amd64.deb
bfbd8959233539f337fd6c938cfddc214342c6db 13950 libatrilview-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
68cd4b9301c725b0cf629ead6e695bc753d1b8fb 310632 libatrilview3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
e49179ff4710a7b3b253065e1e702ce0983392ca 183198 libatrildocument3_1.8.1+dfsg1-4+deb8u1_amd64.deb
e879a8fdf5a334c8d06739de88daeae2d0b8acec 24100 libatrildocument-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
dba4d343edc35fb5aadec24cc7b5d9f6a2307a84 549242 libatrildocument3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
Checksums-Sha256:
1a397ddb0f77ee92b66234a6225f212488ae0735ff85f31e04560a9bf0fd880e 2978 atril_1.8.1+dfsg1-4+deb8u1.dsc
4405c1ccbfa41870aaed97701d6be28cc487f1411788ad6f77d104ce9cf6ecc1 894092 atril_1.8.1+dfsg1.orig.tar.xz
c211c8b4ff2fe20539d8f5ce4f9db96152763eeb0c090ea8a3793e2ab3d3ec44 13984 atril_1.8.1+dfsg1-4+deb8u1.debian.tar.xz
0ca22ef95602103c552a2ae8d6dbb999daada52fe0dfc9d30d3e06fa32dce0ab 392578 atril-common_1.8.1+dfsg1-4+deb8u1_all.deb
7a59937f6956bd28f7f0227d185c09930ac64037ad0e1aae66b11ce49f3ac56b 152518 atril_1.8.1+dfsg1-4+deb8u1_amd64.deb
76aa4097340cd86ea5dc25f40c925d9a972bbbc5c93cd5385afa46bb4da792d8 705828 atril-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
40074a009d45ddb47e771dfc4a98090ea8a3c01e33d114b97e2e956ef8f1f458 94126 libatrilview3_1.8.1+dfsg1-4+deb8u1_amd64.deb
ac24ab6b834e9107fd727e510894be479c7dc1e7def6c4828797ffb98981b4e2 13950 libatrilview-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
365d5f9c219c0c698aee027589d7b18261284c68672e1e38002211597d8e8dac 310632 libatrilview3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
4f629e0cb6c18e730e69f94f77c0eed31fadbcf86d139e214b9fb1ad57faa83e 183198 libatrildocument3_1.8.1+dfsg1-4+deb8u1_amd64.deb
5281584f1abafb2e9369ae193b37a015054a7f563ec7cb1646edb3ea98cfcc38 24100 libatrildocument-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
ef0a0c8d9aba357646cbb522ae5a04b0dc00c5e9024142da030b4d106572845e 549242 libatrildocument3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
Files:
cb2107692abfd2ea19af67494c701a35 2978 x11 optional atril_1.8.1+dfsg1-4+deb8u1.dsc
44df9fcc478f90ad483b1bd32dd2a67a 894092 x11 optional atril_1.8.1+dfsg1.orig.tar.xz
e6bbc203450f957f462bdfbaca3b45b4 13984 x11 optional atril_1.8.1+dfsg1-4+deb8u1.debian.tar.xz
5aa09164d50c90a5d6a1e8f662af7847 392578 x11 optional atril-common_1.8.1+dfsg1-4+deb8u1_all.deb
1501082bdf2f96232b4278b8c58c8be5 152518 x11 optional atril_1.8.1+dfsg1-4+deb8u1_amd64.deb
5fba1dc90a84b6a3bc68fb022a5cf786 705828 debug extra atril-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
f0c7805988bd295993aceb201c8bfebd 94126 libs optional libatrilview3_1.8.1+dfsg1-4+deb8u1_amd64.deb
8ff65c5c3b6c92283ddd0854ae261737 13950 libdevel optional libatrilview-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
e2b2427d8e5666630e0b5f6fa86d41d8 310632 debug extra libatrilview3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
cc0664b079950308d9db45e2a67a45d9 183198 libs optional libatrildocument3_1.8.1+dfsg1-4+deb8u1_amd64.deb
429c2f6bde4ac2fac6a6c94c946349d0 24100 libdevel optional libatrildocument-dev_1.8.1+dfsg1-4+deb8u1_amd64.deb
ca92dc27a5803026c12f8541a9f34cb3 549242 debug extra libatrildocument3-dbg_1.8.1+dfsg1-4+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZBjBLN3JFZ8LzvKD3m/9uMjWSL0FAllxxFkACgkQ3m/9uMjW
SL2Raw/9FvLOZGUDtMvQoY8RhQffAzQBStIBGmAnWHOsNoY7/xa3zT86W52Hsrk4
8fppqdX2ZhF0vZE27B1Qs7y843k+iG34bOWiI5JDXPsZ612sVa/RtCyk5IuTczzP
/knZfYUw6lW84Rzfi5sIE7iQ2Is+stAla2Q5VlSJ+HzvPjhz9dUv7JDSdIyMtUVw
U4hDhvXg0Gg7G3E0aX8v+iLlfaWN46SjbFXzYlJj52u+qM0Gt2hH1LWUqogEm6UY
X/+1QSWadLoWsETrieuLAF3NsxBgXn1DCKERNoPrFEA6hfHP//TOGkXSkIXlrAwT
YEXw8GP3bxIQzTl3xOl1lSLi9EBbagyJNjXH1GR0Doz45rVtrkH8VU1u2Q9cWait
E0aqlpS6YNGQ8YU686GOKi+2vV2ycU+fi+gyK36tBMiPDahYbTJArOzR/lDrsQAD
bqjrq66Qg717nKr/7lwhbMMKs70LiHUvrjI2UWaWW5z6w3pWKFx8G3ezCMHqcqGY
LK/Kz256s+cFUnwyibYTJAfbzvb/IFfTt/naMr7NzkvUHYlD+s49oE0xvB4GIe4w
DsN7K3vufjx4cgyxSx7CsoTkHRIF+Hz/Tv2BpGi2jU76KoOzKYYFxx66wS8Nivtx
LFAFiR053TMhEKu9UuB9m+YA/Y25vaAAxhPFlxN+81H5QTomeJg=
=npQ1
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.debian.org
.
(Mon, 24 Jul 2017 08:24:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#868500.
(Mon, 24 Jul 2017 08:24:07 GMT) (full text, mbox, link).
Message #43 received at 868500-submitter@bugs.debian.org (full text, mbox, reply):
tag 868500 pending
thanks
Hello,
Bug #868500 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-mate/atril.git/commit/?id=d382faf
---
commit d382faf262ab92735199ada02c622e30a1dda27f
Author: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Mon Jul 24 10:20:01 2017 +0200
upload to jessie-security (debian/1.8.1+dfsg1-4+deb8u1)
diff --git a/debian/changelog b/debian/changelog
index a4e94f8..c1fd0c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+atril (1.8.1+dfsg1-4+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload
+ * Add 0003-CVE-2017-1000083-evince-comics-remove-tar-commands-support-3-10-3.patch
+ Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083
+ (Closes: #868500)
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Fri, 21 Jul 2017 07:00:08 +0200
+
atril (1.8.1+dfsg1-4) unstable; urgency=medium
* debian/patches:
Reply sent
to Santiago Ruano Rincón <santiagorr@riseup.net>
:
You have taken responsibility.
(Mon, 24 Jul 2017 10:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 24 Jul 2017 10:06:06 GMT) (full text, mbox, link).
Message #48 received at 868500-close@bugs.debian.org (full text, mbox, reply):
Source: atril
Source-Version: 1.16.1-2.1
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiagorr@riseup.net> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Jul 2017 06:59:09 +0200
Source: atril
Binary: atril atril-common libatrilview3 libatrilview-dev libatrildocument3 libatrildocument-dev gir1.2-atril
Architecture: source
Version: 1.16.1-2.1
Distribution: unstable
Urgency: high
Maintainer: MATE Packaging Team <pkg-mate-team@lists.alioth.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Description:
atril - MATE document viewer
atril-common - MATE document viewer (common files)
gir1.2-atril - GObject introspection data for Atril
libatrildocument-dev - MATE document rendering library (development files)
libatrildocument3 - MATE document rendering library
libatrilview-dev - MATE document viewing library (development files)
libatrilview3 - MATE document viewing library
Closes: 868500
Changes:
atril (1.16.1-2.1) unstable; urgency=high
.
* Non-maintainer upload
* Add 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083
(Closes: #868500)
Checksums-Sha1:
5693b0b9df584d3aa8fda3e7c8467602edc3c323 2870 atril_1.16.1-2.1.dsc
43b9fab4c55e27225baabf97247cfbf7a61781df 15312 atril_1.16.1-2.1.debian.tar.xz
ff4971994c1ecf2145ae51d07230dd6cdccfb738 15986 atril_1.16.1-2.1_source.buildinfo
Checksums-Sha256:
dc88f16c84baa9e0315613b49649726c796344e3b29b827d62374aed59739e3d 2870 atril_1.16.1-2.1.dsc
6a46ef75cdb19fe7cc09834fc2ed5e0baf642116bbe28877aef6f024e7cf85c6 15312 atril_1.16.1-2.1.debian.tar.xz
3d8d775f9f9bbfbb3bc02be0f0f0aa75f1b11db85ae2c88fa73ad16d2532d296 15986 atril_1.16.1-2.1_source.buildinfo
Files:
af559ee89947e1b31dd4f8214de958ec 2870 x11 optional atril_1.16.1-2.1.dsc
0e964604a648204f2c0e66225beb3423 15312 x11 optional atril_1.16.1-2.1.debian.tar.xz
ad5e541a901be6e7cff1945a1135c1b3 15986 x11 optional atril_1.16.1-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZBjBLN3JFZ8LzvKD3m/9uMjWSL0FAllxywIACgkQ3m/9uMjW
SL2nnhAAsIcuQJKjZQjElYUX+kb4RJ3RC4yuIfhAABqtKyQ7aoyDP+ScH4kFGpQM
dKvU5JDjFfGZkcrSE3So48wyLT9chC3NMm1q84aumj8ZwyxPLOG39Q9TFXFlOWo/
butyCOX6EFFqLt0R0bqvzclxrNO6ECO2SAMI/t7qCm0zuvW3C4SyWzXFtYkR57/v
X0hCRMCGQ1lmsBqIzJJOvOklA/NjiFNCA9WCMbI5xvbU+U9Wx0YgGtBCzvAiQtlz
xWda2FZYECX98cPGB3xjmsuvXxUpYpfbAJ29TOA9Jl+uEnRXhKIZ7cscrfgeHhLh
EF0yHI5stl7mPlTf5+rdEUXyFefgUKRDVpkuz7ISnWeUOF5bLj5zlsra138uiSJ2
aGNT4KSNM/laViYBkli44TZifmQJ3Oo6PPc8yUBwErPzHh9vwOqAiE6tTyMeANpd
+fX4eQKQxqo6GYC0/cjxia/MIivrC0xpNJYVHHY2bPYJtvnsblWVBEqJO6XlV0Zy
i1VMG6fOey+7CMAoYg2n/Lu9+6pteTk6b8+mRW+2ujcrRgOe+eufyJ+4AwO5cO3F
DiHxQfe/oi+2RMQVTFgiBIrgvddcPxT4v6PPV4ElXY+UZpihMeNCywus7FN13eYu
b2ltkrdtGdyYwlyS3FipRVaN/N92hkylcLAqU//4oR0zvDQIAT0=
=y+X8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 10 Dec 2017 07:24:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:12:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.