rpms/evince
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2026-46529: command injection via crafted document links

Browse Source 
Backport upstream commit 970c219e from evince to fix
CVE-2026-46529. The patch quotes string arguments (page
labels, named destinations, and search strings) passed to
ev_spawn when spawning a new Evince instance, preventing
untrusted values from being interpreted as unintended flags.

CVE: CVE-2026-46529
Upstream patches:
 - 970c219e86.patch
Resolves: RHEL-184039

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
This commit is contained in:
RHEL Packaging Agent 2026-06-16 12:28:40 +00:00
parent 507df03fc6
commit 22fac4d714
2 changed files with 80 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
evince-3.28.4-CVE-2026-46529.patch Normal file
View File

@ -0,0 +1,71 @@
From 2be95d23fcba59a45c594dcb8c48cf77eea91eb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= <gpoo@gnome.org>
Date: Mon, 18 May 2026 16:25:13 -0400
Subject: [PATCH] shell: quote strings in arguments used when calling ev_spawn
When spawning a new instance, it is good practice to sanitize the
arguments given to Evince, as those arguments may come from an
untrusted source. We want to avoid those values could become
unintended flags by the child process.
Fixes #2153
---
shell/ev-application.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/shell/ev-application.c b/shell/ev-application.c
index 4cc20b9a..697aea7f 100644
--- a/shell/ev-application.c
+++ b/shell/ev-application.c
@@ -154,7 +154,7 @@ ev_spawn (const char *uri,
guint timestamp)
{
GString *cmd;
- gchar *path, *cmdline;
+ gchar *path, *cmdline, *quoted;
GAppInfo *app;
GError *error = NULL;
@@ -179,18 +179,24 @@ ev_spawn (const char *uri,
/* Page label */
if (dest) {
switch (ev_link_dest_get_dest_type (dest)) {
- case EV_LINK_DEST_TYPE_PAGE_LABEL:
+ case EV_LINK_DEST_TYPE_PAGE_LABEL: {
+ quoted = g_shell_quote (ev_link_dest_get_page_label (dest));
g_string_append_printf (cmd, " --page-label=%s",
- ev_link_dest_get_page_label (dest));
+ quoted);
+ g_free (quoted);
break;
+ }
case EV_LINK_DEST_TYPE_PAGE:
g_string_append_printf (cmd, " --page-index=%d",
ev_link_dest_get_page (dest) + 1);
break;
- case EV_LINK_DEST_TYPE_NAMED:
+ case EV_LINK_DEST_TYPE_NAMED: {
+ quoted = g_shell_quote (ev_link_dest_get_named_dest (dest));
g_string_append_printf (cmd, " --named-dest=%s",
- ev_link_dest_get_named_dest (dest));
+ quoted);
+ g_free (quoted);
break;
+ }
default:
break;
}
@@ -198,7 +204,9 @@ ev_spawn (const char *uri,
/* Find string */
if (search_string) {
- g_string_append_printf (cmd, " --find=%s", search_string);
+ quoted = g_shell_quote (search_string);
+ g_string_append_printf (cmd, " --find=%s", quoted);
+ g_free (quoted);
}
/* Mode */
--
2.52.0

10
evince.spec
View File

@ -5,7 +5,7 @@
Name: evince
Version: 3.28.4
Release: 16%{?dist}
Release: 17%{?dist}
Summary: Document viewer
License: GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse
@ -47,6 +47,10 @@ Patch15: evince-3.28.4-Show-password-dialog-again.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2008310
Patch16: evince-3.28.4-handle-clicks-in-forms.patch
# https://issues.redhat.com/browse/RHEL-184039
# https://github.com/GNOME/evince/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245
Patch17: evince-3.28.4-CVE-2026-46529.patch
BuildRequires: pkgconfig(adwaita-icon-theme)
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(gnome-desktop-3.0)
@ -275,6 +279,10 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/evince.desktop
%{_libdir}/mozilla/plugins/libevbrowserplugin.so
%changelog
* Tue Jun 16 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.28.4-17
- Fix CVE-2026-46529: quote string arguments passed to ev_spawn
- Resolves: RHEL-184039
* Mon Oct 4 2021 Marek Kasik <mkasik@redhat.com> - 3.28.4-16
- Allow text entries to handle clicks
- Resolves: #2008310