diff --git a/xreader-4.0.2-CVE-2026-46529.patch b/xreader-4.0.2-CVE-2026-46529.patch new file mode 100644 index 0000000000000000000000000000000000000000..7deb85b75e2e39f69169fab416b6b12056f22072 --- /dev/null +++ b/xreader-4.0.2-CVE-2026-46529.patch @@ -0,0 +1,65 @@ +From 50052eaa91c3c750c51c245799e3747495feeece Mon Sep 17 00:00:00 2001 +From: Victor Kareh +Date: Thu, 14 May 2026 21:56:38 -0400 +Subject: [PATCH] ev-application: Quote user-supplied strings in ev_spawn + command line + +When spawning a new xreader instance for cross-document links, the +destination and search parameters from the document were interpolated +directly into the command line without shell quoting. Values containing +spaces or special characters could be split into separate arguments by +the shell parser, potentially being interpreted as unintended flags by +the child process. + +Apply shell quoting to page label, named destination, and search string +values before appending them to the command line. + + +--- + shell/ev-application.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index a430f9e..148cfaf 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -235,18 +235,22 @@ ev_spawn (const char *uri, + /* Page label or index */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: +- g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); ++ g_string_append_printf (cmd, " --page-label=%s", quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: +- g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ case EV_LINK_DEST_TYPE_NAMED: { ++ gchar *quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); ++ g_string_append_printf (cmd, " --named-dest=%s", quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -254,7 +258,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ gchar *quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ diff --git a/xreader.spec b/xreader.spec index a1ff5e65b89a0fea171930068713c1a19fe44913..11e1f8e4eaab9aa0bcb12238b37b277a2fbfa0af 100644 --- a/xreader.spec +++ b/xreader.spec @@ -2,13 +2,16 @@ Name: xreader Version: 4.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Simple document viewer License: GPLv2+ URL: https://github.com/linuxmint/%{name} Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz +# CVE-2026-46529: Fix arbitrary command injection via unquoted link destinations +Patch0001: xreader-4.0.2-CVE-2026-46529.patch + ExcludeArch: %{ix86} BuildRequires: cmake @@ -166,6 +169,10 @@ LDFLAGS+=' -lX11 -lICE -lSM' %doc %{_datadir}/doc/%{name}* %changelog +* Mon Jun 22 2026 PkgAgent Robot - 4.0.2-3 +- [Type] security +- [DESC] Fix CVE-2026-46529: arbitrary command injection via unquoted link destinations in ev_spawn + * Fri Jun 13 2025 bbrucezhang - 4.0.2-2 - Rebuilt for loongarch64