atril: CVE-2017-1000083
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 20 19:50:46 UTC 2017
Hi Santiago
On Wed, Jul 19, 2017 at 03:05:29PM +0200, Santiago Ruano Rincón wrote:
> El 18/07/17 a las 15:21, Santiago Ruano Rincón escribió:
> > Control: tags -1 + patch
> >
> > On Sun, 16 Jul 2017 08:19:43 +0200 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > ...
> > > the following vulnerability was published for atril.
> > >
> > > CVE-2017-1000083[0]:
> > > Evince command injection vulnerability in CBT handler
> > ...
> >
> > Please, find attached the patch backported from evince's fix.
>
> Dear security team,
>
> Now, please find attached debdiffs for both jessie and stretch. I have
> tested them using a poc.cbt. Result seems OK.
Thanks a lot for your work. Both looks good to me. Can you please add
as well the bug closer for #868500 to the changelog?
With that changed feel free to upload to security-master. Keep mind
mind that both are new to dak on security-master and need to be build
with -sa.
Regards,
Salvatore
More information about the pkg-mate-team
mailing list