CVE-2010-0433: Buffer overflow

Debian Bug report logs - #614668
CVE-2010-0433: Buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-0433: Buffer overflow

Date: Tue, 22 Feb 2011 22:59:16 +0100

Package: evince
Severity: grave
Tags: security

Please see https://bugzilla.gnome.org/show_bug.cgi?id=640923 for
a description and patch.

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 614668@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 614668@bugs.debian.org

Subject: Re: CVE-2010-0433: Buffer overflow

Date: Tue, 22 Feb 2011 23:04:44 +0100

On Tue, Feb 22, 2011 at 10:59:16PM +0100, Moritz Muehlenhoff wrote:
> Package: evince
> Severity: grave
> Tags: security
> 
> Please see https://bugzilla.gnome.org/show_bug.cgi?id=640923 for
> a description and patch.

This is CVE-2011-0433.

Cheers,
        Moritz

Message #15 received at 614668@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 614668@bugs.debian.org

Subject: evince: diff for NMU version 2.30.3-3.1

Date: Wed, 29 Jun 2011 22:56:37 +0100

[Message part 1 (text/plain, inline)]

tags 614668 + patch
tags 614668 + pending
thanks

Dear maintainer,

I've prepared an NMU for evince (versioned as 2.30.3-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Note that the vulnerability fixed in this upload also applies to Squeeze
and probably Lenny, so if it is accepted I will prepare similar uploads for
those suites.

Regards.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[evince-2.30.3-3.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 614668-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 614668-close@bugs.debian.org

Subject: Bug#614668: fixed in evince 2.32.0-1

Date: Mon, 04 Jul 2011 06:47:17 +0000

Source: evince
Source-Version: 2.32.0-1

We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive:

evince-common_2.32.0-1_all.deb
  to main/e/evince/evince-common_2.32.0-1_all.deb
evince-dbg_2.32.0-1_i386.deb
  to main/e/evince/evince-dbg_2.32.0-1_i386.deb
evince-gtk_2.32.0-1_i386.deb
  to main/e/evince/evince-gtk_2.32.0-1_i386.deb
evince_2.32.0-1.debian.tar.gz
  to main/e/evince/evince_2.32.0-1.debian.tar.gz
evince_2.32.0-1.dsc
  to main/e/evince/evince_2.32.0-1.dsc
evince_2.32.0-1_i386.deb
  to main/e/evince/evince_2.32.0-1_i386.deb
evince_2.32.0.orig.tar.bz2
  to main/e/evince/evince_2.32.0.orig.tar.bz2
libevince-dev_2.32.0-1_i386.deb
  to main/e/evince/libevince-dev_2.32.0-1_i386.deb
libevince3_2.32.0-1_i386.deb
  to main/e/evince/libevince3_2.32.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614668@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated evince package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 30 Jun 2011 01:29:48 +0200
Source: evince
Binary: evince evince-dbg evince-gtk evince-common libevince3 libevince-dev
Architecture: source all i386
Version: 2.32.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 evince     - Document (PostScript, PDF) viewer
 evince-common - Document (PostScript, PDF) viewer - common files
 evince-dbg - Document (PostScript, PDF) viewer - debugging symbols
 evince-gtk - Document (PostScript, PDF) viewer (GTK+ version)
 libevince-dev - Document (PostScript, PDF) rendering library - development files
 libevince3 - Document (PostScript, PDF) rendering library
Closes: 614668
Changes: 
 evince (2.32.0-1) unstable; urgency=low
 .
   * New upstream release.
   * Refresh debian/patches/02_link_ice.patch.
   * debian/patches/03_dvi_security_CVE-2010-0433.patch:
     - Fix another buffer overflow in the dvi-backend. CVE-2010-0433
       Patch cherry-picked from upstream Git. Closes: #614668
   * debian/control.in
     - Drop Build-Depends on libdbus-glib-1-dev (ported to GDBus).
     - Bump Build-Depends on libgtk2.0-dev to (>= 2.21.5).
     - Bump Build-Depends on libglib2.0-dev to (>= 2.25.11).
     - Bump Build-Depends on libpoppler-glib-dev to (>= 0.14.0).
     - Add Build-Depends on libcairo2-dev (>= 1.9.10) and
       libgail-dev (>= 2.21.5).
     - Bump Standards-Version to 3.9.2. No further changes.
   * Update libevince for soname bump from 2 → 3.
   * debian/evince-common.install:
     - Install gsettings schemas and gconf conversion script.
   * debian/patches/06_new_poppler_api_update.patch
     - Update pdf_document_get_info to new poppler API. Patch cherry-picked
       from upstream Git.
   * Bump debhelper compatibility level to 7.
     - Update Build-Depends on debhelper.
     - Strip debian/tmp/ from .install files.
   * debian/watch: Switch to .bz2 tarballs.
   * Use dh_lintian to install the override files.
Checksums-Sha1: 
 c2463705dc8c3e76d18ca6b74cd8bf8c0b0be22a 2484 evince_2.32.0-1.dsc
 2f06a2b9dfd8667f4b4c6e90be3c49f6fe026fc8 2295272 evince_2.32.0.orig.tar.bz2
 0d6f5c63acbcf58c156b25920064001b635ae474 24174 evince_2.32.0-1.debian.tar.gz
 88df006bc5c59d03cc121292296f73f90e51d500 1593552 evince-common_2.32.0-1_all.deb
 9a6ba4753d6642f31679874336c478cde83f42ef 651018 evince_2.32.0-1_i386.deb
 8c7290510c9101b22f663e854ab59efa0904d07e 1726540 evince-dbg_2.32.0-1_i386.deb
 bd0a7ea91c478afdd55d95ec1dc75d06e785ac32 600272 evince-gtk_2.32.0-1_i386.deb
 c38b5dbaec5528656f444cec421788635d0404dc 783952 libevince3_2.32.0-1_i386.deb
 49c2a4a6c6848927dee7f1e2b326c8a3430f8be8 800932 libevince-dev_2.32.0-1_i386.deb
Checksums-Sha256: 
 6ee69cde97f3f3f40ff9bdce9d1e1561f70a2b2b5acb963567b751b1e3db338e 2484 evince_2.32.0-1.dsc
 2a4c91ae38f8b5028cebb91b9da9ddc50ea8ae3f3d429df89ba351da2d787ff7 2295272 evince_2.32.0.orig.tar.bz2
 46e0dc51d5b4428a978f893a718b99250e0bfa8b1f4d039cc76c3c61eddeddfc 24174 evince_2.32.0-1.debian.tar.gz
 dd69ca6ea58bed1d9b199c6cf6b086840dabe0e6d50c55530a3ccb2271b242c8 1593552 evince-common_2.32.0-1_all.deb
 d98ae7142080c65fc9ff33105278997e9924157c1ac77d8d63331d16028c9c71 651018 evince_2.32.0-1_i386.deb
 2d062c693b71dd0d98c0e8ac4a788b13cb0a58f2dc03123f9e2da9201528b00b 1726540 evince-dbg_2.32.0-1_i386.deb
 b6c8a6fdc668379b3558b36d35953bb3edca6be7d408df9869cf95813afd5c58 600272 evince-gtk_2.32.0-1_i386.deb
 6cb396c1d16cc7b8fb7b79bc80565b7d73ef4b4c40b518facefc0512054bb330 783952 libevince3_2.32.0-1_i386.deb
 19d24be5460a219e0142d3d9286c4363f0a4a7b6b7e5ed687b1fcbff2dd253ed 800932 libevince-dev_2.32.0-1_i386.deb
Files: 
 522506fa7039c3bfdebe9b96c2fbfbfb 2484 gnome optional evince_2.32.0-1.dsc
 ebc3ce6df8dcbf29cb9492f8dd031319 2295272 gnome optional evince_2.32.0.orig.tar.bz2
 bab0e5bc1951e984830f48fa1f3df44e 24174 gnome optional evince_2.32.0-1.debian.tar.gz
 3ba7c989ef667e8e0745f746f46f334a 1593552 gnome optional evince-common_2.32.0-1_all.deb
 cfb9de6f0a7139b9c5d2683d81e16e3b 651018 gnome optional evince_2.32.0-1_i386.deb
 11bbd22bf39ad2277e2621560e822430 1726540 debug extra evince-dbg_2.32.0-1_i386.deb
 dc87d0fa9c21543bbbc4ff25ab48fb46 600272 x11 optional evince-gtk_2.32.0-1_i386.deb
 cab9e37031185cf44b21d1ad011d767f 783952 libs optional libevince3_2.32.0-1_i386.deb
 8a882d5854811f3eebc5a8e9f6ffe850 800932 libdevel optional libevince-dev_2.32.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOEQVoAAoJEGrh4w1gjyLcg6cP/RUgRSuZvR/5j3f4v3YA703o
IZXdFt5goKcuwGeBsxrF4iUToBtUC5M8zzJBmzJPlInMKZjl95Cg23lwHq3S3U9h
SGkhxKuN2vwXAvXIVXLXnmchpukioI9wCY/fvEJXwaYhXwgHK3FdIcX40gclbXBx
vDhEACCiTREmX8WlVnBq7cCMRs6l6yBAR//WfeLdck8o5ZtiZIF2ebEmDHrdAZY5
kp4LtMpQ534tMbzwZdHuCjKONEdFNIiDuF0OeGx5BHux6Kt2e6l40Mwn2nV/fY2N
CdfDbqnDQ+zdyeqANqDV+KaWuWTlLv/lH7sWl8ApKmSGneGOyDGDl6cXMb1WrWWA
tnMAlRX50Dqe65SnWFLncSw3jEb4fmdYnqD4gKmV+R4ZrInalrILr61DVnndsvm+
RnwJaAWKvru5cjnT3YRPayOSX8e6NGWThyP3jU58jreFp4Py1DzGx8mpr1SCPulk
SOg7D7fTZzCc0HqqIZuhMV5+safGZMf2LsBJuvaxMwYvIu+6txjbqD3Ok3nkB7sg
FJNHw06+Ld6F2bRb4X4k4xoBEN2Ltoobdl6wXPKWSTw8b+0R7jATe3M9hMODG67o
CR/HQMVZ+E+Rvl3JrvtqHmasT682mo4b/YopL5n2rLOIWwMLAUbaIB8uXpqiY9YD
SqrWgXRfawdRFMUBow3d
=lY+I
-----END PGP SIGNATURE-----

Message #29 received at 614668@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Michael Biebl <biebl@debian.org>, 614668@bugs.debian.org

Subject: Re: (PRSC) Bug#614668: CVE-2010-0433: Buffer overflow

Date: Tue, 5 Jul 2011 11:26:45 +0100

[Message part 1 (text/plain, inline)]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.2)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.