Hello Debian Security Team, On behalf of the Debian (E)LTS Team I'm offering help with handling the atril security updates that according to dsa-needed.txt is not claimed by anyone yet.
I've prepared updated branches debian/trixie and debian/bookworm/updates in my personal fork of the mate-team packaging repository at: https://salsa.debian.org/ah/atril I'm also attaching debdiffs if you find that more convenient. Please tell me if you'd like me to proceed to upload. Regards, Andreas Henriksson
diff -Nru atril-1.26.0/debian/changelog atril-1.26.0/debian/changelog --- atril-1.26.0/debian/changelog 2024-05-07 17:33:36.000000000 +0200 +++ atril-1.26.0/debian/changelog 2026-05-27 09:51:19.000000000 +0200 @@ -1,3 +1,10 @@ +atril (1.26.0-2+deb12u4) bookworm-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2026-46529: command line argument injection + + -- Andreas Henriksson <[email protected]> Wed, 27 May 2026 09:51:19 +0200 + atril (1.26.0-2+deb12u3) bookworm-security; urgency=medium * CVE-2023-52076 (Closes: #1061522) diff -Nru atril-1.26.0/debian/patches/CVE-2026-46529.patch atril-1.26.0/debian/patches/CVE-2026-46529.patch --- atril-1.26.0/debian/patches/CVE-2026-46529.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.26.0/debian/patches/CVE-2026-46529.patch 2026-05-27 09:50:33.000000000 +0200 @@ -0,0 +1,67 @@ +From b989b7922a454ed81f8bb14786a958828513f576 Mon Sep 17 00:00:00 2001 +From: Victor Kareh <[email protected]> +Date: Thu, 14 May 2026 20:56:31 -0400 +Subject: [PATCH] ev-application: Quote user-supplied strings in ev_spawn + command line + +When spawning a new atril instance for cross-document links, the +destination and search parameters from the document were interpolated +directly into the command line without shell quoting. Values containing +spaces or special characters could be split into separate arguments by +the shell parser, potentially being interpreted as unintended flags by +the child process. + +Apply shell quoting to page label, named destination, and search string +values before appending them to the command line, consistent with how +other spawn sites in the codebase already handle this. +--- + shell/ev-application.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +Originally downloaded from: +https://github.com/mate-desktop/atril/commit/b989b7922a454ed81f8bb14786a958828513f576.patch + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index 57f1b9225..37d35eaa7 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -221,18 +221,22 @@ ev_spawn (const char *uri, + /* Page label or index */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: +- g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); ++ g_string_append_printf (cmd, " --page-label=%s", quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: +- g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ case EV_LINK_DEST_TYPE_NAMED: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); ++ g_string_append_printf (cmd, " --named-dest=%s", quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -240,7 +244,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ gchar *quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ diff -Nru atril-1.26.0/debian/patches/series atril-1.26.0/debian/patches/series --- atril-1.26.0/debian/patches/series 2024-05-07 17:32:27.000000000 +0200 +++ atril-1.26.0/debian/patches/series 2026-05-27 09:50:49.000000000 +0200 @@ -6,3 +6,4 @@ 0005-Use-a-blank-line-at-most.patch 0006-comics-Use-libarchive-to-unpack-documents.patch CVE-2023-52076.patch +CVE-2026-46529.patch
diff -Nru atril-1.26.2/debian/changelog atril-1.26.2/debian/changelog --- atril-1.26.2/debian/changelog 2025-01-06 15:32:43.000000000 +0100 +++ atril-1.26.2/debian/changelog 2026-05-27 09:36:59.000000000 +0200 @@ -1,3 +1,10 @@ +atril (1.26.2-4+deb13u1) trixie-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2026-46529: command line argument injection + + -- Andreas Henriksson <[email protected]> Wed, 27 May 2026 09:36:59 +0200 + atril (1.26.2-4) unstable; urgency=medium * debian/patches: diff -Nru atril-1.26.2/debian/patches/CVE-2026-46529.patch atril-1.26.2/debian/patches/CVE-2026-46529.patch --- atril-1.26.2/debian/patches/CVE-2026-46529.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.26.2/debian/patches/CVE-2026-46529.patch 2026-05-27 09:35:49.000000000 +0200 @@ -0,0 +1,67 @@ +From b989b7922a454ed81f8bb14786a958828513f576 Mon Sep 17 00:00:00 2001 +From: Victor Kareh <[email protected]> +Date: Thu, 14 May 2026 20:56:31 -0400 +Subject: [PATCH] ev-application: Quote user-supplied strings in ev_spawn + command line + +When spawning a new atril instance for cross-document links, the +destination and search parameters from the document were interpolated +directly into the command line without shell quoting. Values containing +spaces or special characters could be split into separate arguments by +the shell parser, potentially being interpreted as unintended flags by +the child process. + +Apply shell quoting to page label, named destination, and search string +values before appending them to the command line, consistent with how +other spawn sites in the codebase already handle this. +--- + shell/ev-application.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +Originally downloaded from: +https://github.com/mate-desktop/atril/commit/b989b7922a454ed81f8bb14786a958828513f576.patch + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index 57f1b9225..37d35eaa7 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -221,18 +221,22 @@ ev_spawn (const char *uri, + /* Page label or index */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: +- g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); ++ g_string_append_printf (cmd, " --page-label=%s", quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: +- g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ case EV_LINK_DEST_TYPE_NAMED: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); ++ g_string_append_printf (cmd, " --named-dest=%s", quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -240,7 +244,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ gchar *quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ diff -Nru atril-1.26.2/debian/patches/series atril-1.26.2/debian/patches/series --- atril-1.26.2/debian/patches/series 2024-12-27 09:15:56.000000000 +0100 +++ atril-1.26.2/debian/patches/series 2026-05-27 09:35:13.000000000 +0200 @@ -1,3 +1,4 @@ 1002-avoid-crash-on-certain-epub-files.patch 0001_fix-incompat-pointer-type.patch 0002_simplify-array-iteration.patch +CVE-2026-46529.patch
