1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1061522: atril: CVE-2023-52076

    From Salvatore Bonaccorso@21:1/5 to All on Thu Jan 25 22:20:01 2024
    Source: atril
    Version: 1.26.1-4
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for atril.

    CVE-2023-52076[0]:
    | Atril Document Viewer is the default document reader of the MATE
    | desktop environment for Linux. A path traversal and arbitrary file
    | write vulnerability exists in versions of Atril prior to 1.26.2.
    | This vulnerability is capable of writing arbitrary files anywhere on
    | the filesystem to which the user opening a crafted document has
    | access. The only limitation is that this vulnerability cannot be
    | exploited to overwrite existing files, but that doesn't stop an
    | attacker from achieving Remote Command Execution on the target
    | system. Version 1.26.2 of Atril contains a patch for this
    | vulnerability.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2023-52076
    https://www.cve.org/CVERecord?id=CVE-2023-52076
    [1] https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
    [2] https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Jan 30 14:40:01 2024
    This is a multi-part message in MIME format...

    Your message dated Tue, 30 Jan 2024 13:34:28 +0000
    with message-id <E1rUoFw-00AzP3-Ay@fasolo.debian.org>
    and subject line Bug#1061522: fixed in atril 1.26.2-1
    has caused the Debian Bug report #1061522,
    regarding atril: CVE-2023-52076
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1061522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061522
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 25 Jan 2024 21:11:25 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.5 required=4.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_EF,FOURLA,FREEMAIL_FORGED_FROMDOMAIN,
    FREEMAIL_FROM,FROMDEVELOPER,HEADER_FROM_DIFFERENT_DOMAINS,MD5_SHA1_SUM,
    RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 19; hammy, 150; neutral, 82; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <salvatore.bonaccorso@gmail.com>
    Received: from mail-wm1-x333.google