Your message dated Tue, 16 Jun 2026 20:47:25 +0000
with message-id <[email protected]>
and subject line Bug#1139874: fixed in atril 1.26.0-2+deb12u4
has caused the Debian Bug report #1139874,
regarding atril: CVE-2026-4652 in Trixie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139874
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: atril
Version: 1.26.2-4
Severity: important
Tags: security
X-Debbugs-Cc: Andreas Henriksson <[email protected]>, [email protected], Debian
Security Team <[email protected]>
Per https://security-tracker.debian.org/tracker/CVE-2026-46529 `atril` version
in Trixie (1.26.2-4) is vulnerable. This bug is easily exploitable and viewing
PDFs is a very common task that almost everyone performs at least semi-
regularly.
Andreas Henriksson (CCed) kindly provided all necessary changes at
https://salsa.debian.org/ah/atril/-/tree/debian/trixie so as I understand all
that is necessary is for someone from security team to review and publish it.
-- System Information:
Debian Release: 13.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 7.0.10+tbfive1-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages atril depends on:
ii atril-common 1.26.2-4
ii dconf-gsettings-backend [gsettings-ba 0.40.0-5
ckend]
ii libatk1.0-0t64 2.56.2-1+deb13u1
ii libatrildocument3t64 1.26.2-4
ii libatrilview3t64 1.26.2-4
ii libc6 2.41-12+deb13u3
ii libcaja-extension1 1.26.4-1
ii libgdk-pixbuf-2.0-0 2.42.12+dfsg-4+deb13u1
ii libglib2.0-0t64 2.84.4-3~deb13u3
ii libgtk-3-0t64 3.24.49-3
ii libice6 2:1.1.1-1
ii libsecret-1-0 0.21.7-1
ii libsm6 2:1.2.6-1
ii libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2
ii shared-mime-info 2.4-5+b2
Versions of packages atril recommends:
ii dbus-user-session [default-dbus-session-bus] 1.16.2-2
ii dbus-x11 [dbus-session-bus] 1.16.2-2
ii gvfs 1.57.2-2+deb13u1
Versions of packages atril suggests:
ii caja 1.26.4-1
ii poppler-data 0.4.12-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.26.0-2+deb12u4
Done: Andreas Henriksson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <[email protected]> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 08:29:50 +0200
Source: atril
Architecture: source
Version: 1.26.0-2+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1139874
Changes:
atril (1.26.0-2+deb12u4) bookworm-security; urgency=medium
.
* Non-maintainer upload by the LTS Team.
* CVE-2026-46529: command line argument injection (Closes: #1139874)
Checksums-Sha1:
94fc19d0d65d7165e21224a31555e8370d83fb62 3114 atril_1.26.0-2+deb12u4.dsc
9a124d7396c5a9a16fdd082cf58737d00cd1ac6e 1370712 atril_1.26.0.orig.tar.xz
38c14f2c4573dd2f4b3b5e7bf6e99cadc6993a43 45588
atril_1.26.0-2+deb12u4.debian.tar.xz
4f77bbaec9f9042399ae3c3b3812892ac5c1194a 9736
atril_1.26.0-2+deb12u4_source.buildinfo
Checksums-Sha256:
0557595e355a4d2904fb16d585cc202a681258f41d59a5f89e4e6c51c0629012 3114
atril_1.26.0-2+deb12u4.dsc
cb707c8c6821d8c45a7ca121e308ce06de64c99f1b010f4f348bd15555db625d 1370712
atril_1.26.0.orig.tar.xz
b9f64b738c2a726e1eca3f4245101e7e90c1476a40ab5bfba55b8fa4f0f25eea 45588
atril_1.26.0-2+deb12u4.debian.tar.xz
aa024f8fdb6a0f08c3c18bf6197d710fb93c3e220a3931a31e8a9d17db3f7606 9736
atril_1.26.0-2+deb12u4_source.buildinfo
Files:
df264453a54e0da0040b03b6a9651fd9 3114 x11 optional atril_1.26.0-2+deb12u4.dsc
b94ebf65e276a6666f35f91dbcafce4a 1370712 x11 optional atril_1.26.0.orig.tar.xz
8d3e92e7c90465370baf577c36556a0c 45588 x11 optional
atril_1.26.0-2+deb12u4.debian.tar.xz
c90c87bce01ab57631a3afbf62e751ff 9736 x11 optional
atril_1.26.0-2+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmow8B0ACgkQC8R9xk0T
Uwbo6A/+LoKYuuB7mWOJAciSibAg+kgwiyWF98YzbFmurWgLrsuFHOVpG+P/mxBZ
mesprD35XllCtYDneYCUwgv+uO/ujOG8JaDqBBzCht2WnD26PJjm3gh+yI7amek+
aUYe4cfLLIIndFLKDyAfBXjR7SdLvdjcXYaxzosg3wy3HNPLjY2V3Qisi6E+Mxlo
21aLu9+GK5MkUxh4S/3ywIW/+j2zrNbgE+GKjryd7bpaeCIymqBbfD8CvkDx898Y
zXC+xz1FFcZADSIaQ+ny3XAEs0bBEOZBkzI53Nad5oTrxryrzta5IfZsf6PSkUgh
q5V65nlrfuchiVsQo/bJuK0eqKrOmbMgYj5Pa6w1YHSUs0dU3o43aTTYuBotlNgA
VjUrPlhXPm0j7zTG+VeWJRUrcur0B3STVpRABST9lwxJsNMBNABbA+zxh+CzGBaq
hiCz4ddY0lgbqahPXs16PGj+RxwXcrRV6xhd/eJL5dodKNSg+VU9syMu2Sqj3StW
uW4h6SXH3cAfWTbm2WKPn9c4g/JHO6fyWxInYg9hSH5RWzSzPtPgn2i+FIin1Qc5
LTwrKuootocGWmd7oXBUUG5E6A9UB7QKopS+LkEQbYK43Y+TqLwmdXhBH5Rj0AIT
C7/uDfQ12Wc15Hys4H5lW3SfRNLGonw2ix8N9s74OSSEEwFNGgc=
=cIHG
-----END PGP SIGNATURE-----
pgplawL9FII6_.pgp
Description: PGP signature
--- End Message ---
