U radu programskog paketa evince uočeno je nekoliko sigurnosnih propusta. Evince je jednostavan preglednik dokumenata koji prepoznaje PDF, PostScript, djvu, tiff i dvi formate. Sigurnosni propusti se javljaju zbog niza pogrešaka u funkcijama "pk_load_font()", "vf_load_font()", "token()" i "tfm_load_file()". Sposobni napadač može iskoristiti spomenute ranjivosti za pokretanje proizvoljnog programskog koda i izvođenje napada uskraćivanja usluge. Zlouporaba uključuje navođenje korisnika na otvaranje zlonamjerno oblikovane DVI datoteke. Svim se korisnicima ranjivog paketa preporuča instalacija novih inačica.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-0208
2011-01-07 19:28:55
--------------------------------------------------------------------------------
Name : evince
Product : Fedora 14
Version : 2.32.0
Release : 3.fc14
URL : http://projects.gnome.org/evince/
Summary : Document viewer
Description :
Evince is simple multi-page document viewer. It can display and print
Portable Document Format (PDF), PostScript (PS) and Encapsulated PostScript
(EPS) files. When supported by the document format, evince allows searching
for text, copying text to the clipboard, hypertext navigation,
table-of-contents bookmarks and editing of forms.
Support for other document formats such as DVI and DJVU can be added by
installing additional backends.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 6 2011 Marek Kasik <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.32.0-3
- Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643
- Resolves: #667573
* Mon Nov 22 2010 Marek Kasik <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.32.0-2
- Fix crash in clear_job_selection()
- Remove unused patch
- Resolves: #647689
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #666314 - CVE-2010-2641 evince: Array index errror in DVI file VF
font parser
https://bugzilla.redhat.com/show_bug.cgi?id=666314
[ 2 ] Bug #666318 - CVE-2010-2642 evince: Heap based buffer overflow in DVI
file AFM font parser
https://bugzilla.redhat.com/show_bug.cgi?id=666318
[ 3 ] Bug #666313 - CVE-2010-2640 evince: Array index errror in DVI file PK
font parser
https://bugzilla.redhat.com/show_bug.cgi?id=666313
[ 4 ] Bug #666321 - CVE-2010-2643 evince: Integer overflow in DVI file TFM
font parser
https://bugzilla.redhat.com/show_bug.cgi?id=666321
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update evince' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke