Jon Larimer discovered that Evince's font parsers incorrectly handled certain buffer lengths when rendering a DVI file. By tricking a user into opening or previewing a DVI file that uses a specially crafted font file, an attacker could crash evince or execute arbitrary code with the user's privileges. http://seclists.org/fulldisclosure/2011/Jan/38 There are some ubuntu patches, see https://launchpad.net/ubuntu/+source/evince/+changelog and http://launchpadlibrarian.net/61664677/evince_2.32.0-0ubuntu3_2.32.0-0ubuntu4.diff.gz
Upstream commit appears to be at the URL below, but I do not see a new release yet. http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2
The patch also breaks dvi handling for me completely :-S https://bugzilla.gnome.org/show_bug.cgi?id=639746
+*evince-2.32.0-r1 (18 Jan 2011) + + 18 Jan 2011; Pacho Ramos <pacho@gentoo.org> -evince-2.26.2.ebuild, + -files/evince-2.27.4-smclient-configure.patch, -evince-2.28.2.ebuild, + +evince-2.32.0-r1.ebuild, +files/evince-2.32.0-dvi-CVEs.patch, + +files/evince-2.32.0-libdocument-segfault.patch, + +files/evince-2.32.0-pk-fonts.patch: + Revision bump including upstream patches for fixing security bugs in dvi + backend, libdocument segfaults and problem with pk fonts after applying + security patch. Remove old. But stabilization will probably need to wait since it requires newer glib and 2.32 stuff
(In reply to comment #3) > > But stabilization will probably need to wait since it requires newer glib and > 2.32 stuff > Thank you. I am guessing bug 339225 is the correct one to track. If not, please feel free to set me right. ;)
An A2-rated vulnerabilty should be handled within 5 days according to http://www.gentoo.org/security/en/vulnerability-policy.xml, that would mean Jan 10, two weeks ago. :-/ Should we issue a temporary GLSA? Should we mask the package, or backport the security fix, or take some other action?
It was stabilized long ago ;)
(In reply to comment #6) > It was stabilized long ago ;) Thanks, Pacho. GLSA request filed.
CVE-2010-2643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2643): Integer overflow in the TFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. CVE-2010-2642 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2642): Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. CVE-2010-2641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2641): Array index error in the VF font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. CVE-2010-2640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2640): Array index error in the PK font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
This issue was resolved and addressed in GLSA 201111-10 at http://security.gentoo.org/glsa/glsa-201111-10.xml by GLSA coordinator Alex Legler (a3li).
