Version in base suite: 3.30.2-3 Base version: evince_3.30.2-3 Target version: evince_3.30.2-3+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/evince/evince_3.30.2-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/evince/evince_3.30.2-3+deb10u1.dsc changelog | 8 + patches/series | 1 patches/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch | 75 ++++++++++ 3 files changed, 84 insertions(+) diff -Nru evince-3.30.2/debian/changelog evince-3.30.2/debian/changelog --- evince-3.30.2/debian/changelog 2019-01-29 00:48:11.000000000 +0000 +++ evince-3.30.2/debian/changelog 2020-02-12 20:46:12.000000000 +0000 @@ -1,3 +1,11 @@ +evince (3.30.2-3+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459) + (Closes: #927820) + + -- Salvatore Bonaccorso Wed, 12 Feb 2020 21:46:12 +0100 + evince (3.30.2-3) unstable; urgency=medium [ Jason Crain ] diff -Nru evince-3.30.2/debian/patches/series evince-3.30.2/debian/patches/series --- evince-3.30.2/debian/patches/series 2019-01-29 00:48:11.000000000 +0000 +++ evince-3.30.2/debian/patches/series 2020-02-12 20:45:41.000000000 +0000 @@ -1 +1,2 @@ Fix-path-of-the-libnautilus-extension-with-multi-arch.patch +tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch diff -Nru evince-3.30.2/debian/patches/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch evince-3.30.2/debian/patches/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch --- evince-3.30.2/debian/patches/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch 1970-01-01 00:00:00.000000000 +0000 +++ evince-3.30.2/debian/patches/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch 2020-02-12 20:45:35.000000000 +0000 @@ -0,0 +1,75 @@ +From: Jason Crain +Date: Mon, 15 Apr 2019 23:06:36 -0600 +Subject: tiff: Handle failure from TIFFReadRGBAImageOriented +Origin: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11459 +Bug-Debian: https://bugs.debian.org/927820 +Bug: https://gitlab.gnome.org/GNOME/evince/issues/1129 + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +Fixes #1129 +--- + backend/tiff/tiff-document.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 7715031b9a31..38bb3bd8fe63 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -292,18 +292,22 @@ tiff_document_render (EvDocument *document, + g_warning("Failed to allocate memory for rendering."); + return NULL; + } +- ++ ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } ++ + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, + width, height, + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument *document, + if (!pixels) + return NULL; + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } ++ + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res), +-- +2.20.1 +