Bug#1060751: marked as done (atril: CVE-2023-51698)
Your message dated Sat, 03 Feb 2024 17:32:08 +0000
with message-id <E1rWJs8-000Hcb-OR@fasolo.debian.org>
and subject line Bug#1060751: fixed in atril 1.26.0-2+deb12u2
has caused the Debian Bug report #1060751,
regarding atril: CVE-2023-51698
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1060751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060751
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: atril: CVE-2023-51698
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 13 Jan 2024 17:34:39 +0100
- Message-id: <170516367997.1680437.8947786849982716292.reportbug@eldamar.lan>
Source: atril
Version: 1.26.1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for atril.
CVE-2023-51698[0]:
| Atril is a simple multi-page document viewer. Atril is vulnerable to
| a critical Command Injection Vulnerability. This vulnerability gives
| the attacker immediate access to the target system when the target
| user opens a crafted document or clicks on a crafted link/URL using
| a maliciously crafted CBT document which is a TAR archive. A patch
| is available at commit ce41df6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-51698
https://www.cve.org/CVERecord?id=CVE-2023-51698
[1] https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
[2] https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.26.0-2+deb12u2
Done: Mike Gabriel <sunweaver@debian.org>
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1060751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 23 Jan 2024 10:08:40 +0100
Source: atril
Architecture: source
Version: 1.26.0-2+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1060751
Changes:
atril (1.26.0-2+deb12u2) bookworm; urgency=medium
.
* debian/patches:
+ Add 0005-Use-a-blank-line-at-most.patch and 0006-comics-Use-libarchive-
to-unpack-documents.patch. Use libarchive instead of external command for
extracing documents (CVE-2023-51698, closes: #1060751).
Checksums-Sha1:
2b956acc0adf59349b11c4341e30314d20dc31a8 3143 atril_1.26.0-2+deb12u2.dsc
337a7890fae9fc68351efc679291495ea605e269 44060 atril_1.26.0-2+deb12u2.debian.tar.xz
d9afe1c536481c93214cc1eeef34444ca10f05bc 17711 atril_1.26.0-2+deb12u2_source.buildinfo
Checksums-Sha256:
ffb7c77fcb06679970a5369769f10a4d15a68771f3d1cf7f1a80c49de348abc5 3143 atril_1.26.0-2+deb12u2.dsc
26ccfe260de17f824aa3dac5751cd6eae28c7fe36d57484b8ff1711156476aa8 44060 atril_1.26.0-2+deb12u2.debian.tar.xz
3af4addeea7906e884b624b6dee12a2f15aa5573785b39ebd374fb8e8bce8d53 17711 atril_1.26.0-2+deb12u2_source.buildinfo
Files:
c1261ad2cd9a2475b34142adad0a6b2d 3143 x11 optional atril_1.26.0-2+deb12u2.dsc
211887c4dc95211d4fc96fa4aa562b57 44060 x11 optional atril_1.26.0-2+deb12u2.debian.tar.xz
f3e034dc5646d277a8101c9fc6d8b356 17711 x11 optional atril_1.26.0-2+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmWvh9QVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxdP8QAIOLN7o33A3ZzFvuqFhyhn0j5eo/
QBOWV3gabn79bDxDUlgWhwXgY8ktoK070KybrNsB8AA0AHBe9LlMRH4KftGXYhud
uwR0gt0ege3TCmiia0FjjzcviACfAN9rBF8ff2xhgVrHWtA5rkrQsIOG0lucdn3I
uhX3KGnoO3oDaaLKOY5xvHi+FqBfl+6LtucShuuJnfsITBjmzphe//TUmWI7uWea
RYqnc4skrLoEBRYb743OqTh6zs6B9UIAy4vyAL0AODQGGw0+UAGUG02i8pNt83+5
l0mYulnPt2rDtna3bKjG5C9T0lsA21aLp1AbR/KsgmOEF8zp1ymo4zrhwnMXh/Ee
LmkOps8/AYFE5jqs12IQI4s9tgMJGYdPKuQf4WNAr9/fymSodMmEOmlOmNfh0Bas
navlv/X/nTDMhHfVxAfQzBnushdH5pxLFh922F2ax3SQAudGlztroQud4kktZHyy
sikLUAA0nlkehR0iAsl3lcQmGRX/xKOKlUhL0ixNuWmkbdG89dA7nYxtlXTs8LCb
DvsGriewIrq5PgQPmsFIWWxDDo17sm3KlJGi17287ZQkwHgpY/N3ED05TyIqj9f9
c8BS303sUwkLZ4BKXD2k5E97ZK6Y4PZJ1JkmyxzXN5ZzozA8j1SKmSyhxeuzvOj6
CuB5s11KioGofmnB
=exEI
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: