CVE-2019-19010 - Eval injection in the Math plugin

Since this is a security issue, maybe the security team would be interested in it? Assigning the security team for feedback. Even though this is an universe package, getting it into -security might still be a thing worth considering.

However note that I already uploaded the fix to bionic-proposed.

And as a data note, the Debian Security team considers this bug minor and not worthy of going through Debian's -security archive.

Hello Mattia, or anyone else affected,

Accepted limnoria into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/limnoria/2018.01.25-1ubuntu18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I got around to id and verified that the version currently in proposed (2018.01.25-1ubuntu18.04.1) works as expected, and the Math plugin indeed keeps behaving as I expect it to.

The verification of the Stable Release Update for limnoria has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package limnoria - 2018.01.25-1ubuntu18.04.1

---------------
limnoria (2018.01.25-1ubuntu18.04.1) bionic; urgency=medium

  * Add patch from upstream to fix remote information disclosure and
    possibly remote code execution in the Math plugin.
    LP: #1852859; CVE-2019-19010

 -- Mattia Rizzolo <email address hidden> Tue, 12 Nov 2019 17:02:42 +0100