Several vulnerabilities were discovered in evince, a simple multi-page document viewer.
Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames.
Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files.
A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened.
For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.
For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.
We recommend that you upgrade your evince packages.
For the detailed security status of evince please refer to its security tracker page at: https://security-tracker.debian.org/tracker/evince