Debian: Security Advisory for evince (DSA-4624-1)

The remote host is missing an update for the 'evince' package(s) announced via the DSA-4624-1 advisory.

Several vulnerabilities were discovered in evince, a simple multi-page document viewer. CVE-2017-1000159 Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames. CVE-2019-11459 Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files. CVE-2019-1010006 A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened.

'evince' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459 . We recommend that you upgrade your evince packages.