Your message dated Fri, 19 Jun 2026 17:17:05 +0000
with message-id <[email protected]>
and subject line Bug#1139874: fixed in atril 1.26.2-4+deb13u1
has caused the Debian Bug report #1139874,
regarding atril: CVE-2026-4652 in Trixie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139874
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: atril
Version: 1.26.2-4
Severity: important
Tags: security
X-Debbugs-Cc: Andreas Henriksson <[email protected]>, [email protected], Debian
Security Team <[email protected]>
Per https://security-tracker.debian.org/tracker/CVE-2026-46529 `atril` version
in Trixie (1.26.2-4) is vulnerable. This bug is easily exploitable and viewing
PDFs is a very common task that almost everyone performs at least semi-
regularly.
Andreas Henriksson (CCed) kindly provided all necessary changes at
https://salsa.debian.org/ah/atril/-/tree/debian/trixie so as I understand all
that is necessary is for someone from security team to review and publish it.
-- System Information:
Debian Release: 13.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 7.0.10+tbfive1-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages atril depends on:
ii atril-common 1.26.2-4
ii dconf-gsettings-backend [gsettings-ba 0.40.0-5
ckend]
ii libatk1.0-0t64 2.56.2-1+deb13u1
ii libatrildocument3t64 1.26.2-4
ii libatrilview3t64 1.26.2-4
ii libc6 2.41-12+deb13u3
ii libcaja-extension1 1.26.4-1
ii libgdk-pixbuf-2.0-0 2.42.12+dfsg-4+deb13u1
ii libglib2.0-0t64 2.84.4-3~deb13u3
ii libgtk-3-0t64 3.24.49-3
ii libice6 2:1.1.1-1
ii libsecret-1-0 0.21.7-1
ii libsm6 2:1.2.6-1
ii libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2
ii shared-mime-info 2.4-5+b2
Versions of packages atril recommends:
ii dbus-user-session [default-dbus-session-bus] 1.16.2-2
ii dbus-x11 [dbus-session-bus] 1.16.2-2
ii gvfs 1.57.2-2+deb13u1
Versions of packages atril suggests:
ii caja 1.26.4-1
ii poppler-data 0.4.12-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: atril
Source-Version: 1.26.2-4+deb13u1
Done: Andreas Henriksson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <[email protected]> (supplier of updated atril package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 09:16:44 +0200
Source: atril
Architecture: source
Version: 1.26.2-4+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1139874
Changes:
atril (1.26.2-4+deb13u1) trixie-security; urgency=medium
.
* Non-maintainer upload by the LTS Team.
* CVE-2026-46529: command line argument injection (Closes: #1139874)
Checksums-Sha1:
ab93319f7a06d48f64b1b4ae49029544d9613f8f 3126 atril_1.26.2-4+deb13u1.dsc
887b2af873ff3d5f1a6863a461fcba887c5459c1 1446416 atril_1.26.2.orig.tar.xz
ab509abfd9539d1045d37722f9ba30be0839894f 22196
atril_1.26.2-4+deb13u1.debian.tar.xz
82cefcb05f7687f850042d5b2ad3dcd4cb603269 9736
atril_1.26.2-4+deb13u1_source.buildinfo
Checksums-Sha256:
b6ec337c9d585f9319946c010df031cd206536aae41c99158e9470447d79fb68 3126
atril_1.26.2-4+deb13u1.dsc
e3638b52552ea7cd71db81602ffecd2d39b99eab46336eaec11b30e6f5b475af 1446416
atril_1.26.2.orig.tar.xz
740b17f93cfebdd8b9692101fca023968be9136709ee6ee4554e02dabd32e22a 22196
atril_1.26.2-4+deb13u1.debian.tar.xz
e725caa2032d6ee60daf65582f815d3f383c366ceb3afe21dae250707f815824 9736
atril_1.26.2-4+deb13u1_source.buildinfo
Files:
c9ecf180ae08a4887fa2dcec0e81cc85 3126 x11 optional atril_1.26.2-4+deb13u1.dsc
e020f5af934b90705bd69146c89f3577 1446416 x11 optional atril_1.26.2.orig.tar.xz
08dc9712db0b6bc9cc0e96dbeb587f8c 22196 x11 optional
atril_1.26.2-4+deb13u1.debian.tar.xz
e75f86f6bd549b238f8207b7fab63065 9736 x11 optional
atril_1.26.2-4+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmow+HwACgkQC8R9xk0T
Uwaqug//boEDdXNTevBDuXfCiQb/q/zJpgAD7naMU3UBQEaP6cgIw0rIZLS2Igs/
5LDzxweO6PtnJ/jzPGmzjeWaef3QEcUtZnPWHJgFjJ6DKXLdtaiIfEe/dHjv6NzX
tLep+L8TxptYWbU+U7dgzlrPTvQHkGqHrTKtVGgQ+WxLDv2O2ALlfTDEagV+ckII
Wk9rIkOvfKHnWwz6s3ihG9YxCj3hPyghNeOMVoPtYpsbsboFB4U/IXf43ymVUGCN
81bPjqa/6yv08g3DnqAeQ3RWYts7v/nH5omR9TIPYah2gj9F3ihIO/+l+sPuclNI
o+vPe4lN1MTK7/5Uh/b2XefzTdipR4WjPjFJ0veJnR66ZwQvarG1JVr1quvyKGmO
TRXbil992ODfU476csP+/hqyh0vDu6nnzri/XAjzTzhvC2elzGiNsXXxKbYVWSfh
vBZaf/63rE9aYGWJ5CX9UbJ04hRkYerFoQYFS/7PRIY9uA0UmfB04itI5XPXEdMX
QZ4teOVzE6Mas12cKl4Or9y1Vpbh4xoboMaAkxmYR0kSW6DpYQJ9JBD0zTqMl4ng
TKyc01eTwApNfIyTSKq/nDMoxAqeEqhNYv7f7hXSYHFm5jOEGR8E1jbFj3cTKUdB
zJEb71NZ3majQcLE8ZAPuoiER1E3ZxjYIkF+7yNdgB+DGfXOsJE=
=x9eS
-----END PGP SIGNATURE-----
pgpAmuF3In3oW.pgp
Description: PGP signature
--- End Message ---
