From 1872b5e3f249fc4141a64004fec7fba0ecb84096 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Mon, 22 Jun 2026 17:02:38 +0800 Subject: [PATCH] Fix CVE-2026-46529: shell command injection via unquoted link-destination fields in ev_spawn --- atril-1.26.2-CVE-2026-46529.patch | 66 +++++++++++++++++++++++++++++++ atril.spec | 9 ++++- 2 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 atril-1.26.2-CVE-2026-46529.patch diff --git a/atril-1.26.2-CVE-2026-46529.patch b/atril-1.26.2-CVE-2026-46529.patch new file mode 100644 index 0000000..3bdaabb --- /dev/null +++ b/atril-1.26.2-CVE-2026-46529.patch @@ -0,0 +1,66 @@ +From 6fcec412c36186564f2af8b94026c61b8fecb5e4 Mon Sep 17 00:00:00 2001 +From: Victor Kareh +Date: Thu, 14 May 2026 20:56:31 -0400 +Subject: [PATCH] ev-application: Quote user-supplied strings in ev_spawn + command line + +When spawning a new atril instance for cross-document links, the +destination and search parameters from the document were interpolated +directly into the command line without shell quoting. Values containing +spaces or special characters could be split into separate arguments by +the shell parser, potentially being interpreted as unintended flags by +the child process. + +Apply shell quoting to page label, named destination, and search string +values before appending them to the command line, consistent with how +other spawn sites in the codebase already handle this. + + +--- + shell/ev-application.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index 56279ac..d650cd5 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -221,18 +221,22 @@ ev_spawn (const char *uri, + /* Page label or index */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: +- g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); ++ g_string_append_printf (cmd, " --page-label=%s", quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: +- g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ case EV_LINK_DEST_TYPE_NAMED: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); ++ g_string_append_printf (cmd, " --named-dest=%s", quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -240,7 +244,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ gchar *quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ diff --git a/atril.spec b/atril.spec index eda6ac6..eeeaac0 100644 --- a/atril.spec +++ b/atril.spec @@ -12,9 +12,9 @@ Name: atril Version: %{branch}.2 %if 0%{?rel_build} -Release: 2%{?dist} +Release: 3%{?dist} %else -Release: 2%{?dist} +Release: 3%{?dist} %endif Summary: Document viewer License: GPLv2+ and LGPLv2+ and MIT @@ -25,6 +25,7 @@ URL: http://mate-desktop.org Patch1: atril_0002-fix-a-incompatible-pointer-type-warning-for-gcc14-1.26.patch Patch2: atril_0001-epub-Avoid-crash-when-index-list-has-extraneous-entr-1.26.patch +Patch3: atril-1.26.2-CVE-2026-46529.patch BuildRequires: cairo-gobject-devel BuildRequires: desktop-file-utils @@ -183,6 +184,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/atril.desktop %changelog +* Mon Jun 22 2026 PkgAgent Robot - 1.26.2-3 +- [Type] security +- [DESC] Fix CVE-2026-46529: shell command injection via unquoted link-destination fields in ev_spawn + * Tue Jun 03 2025 bbrucezhang - 1.26.2-2 - Rebuilt for loongarch64 -- Gitee