diff --git a/evince-3.28.4-CVE-2026-46529.patch b/evince-3.28.4-CVE-2026-46529.patch new file mode 100644 index 0000000..c32783b --- /dev/null +++ b/evince-3.28.4-CVE-2026-46529.patch @@ -0,0 +1,71 @@ +From 2be95d23fcba59a45c594dcb8c48cf77eea91eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= +Date: Mon, 18 May 2026 16:25:13 -0400 +Subject: [PATCH] shell: quote strings in arguments used when calling ev_spawn + +When spawning a new instance, it is good practice to sanitize the +arguments given to Evince, as those arguments may come from an +untrusted source. We want to avoid those values could become +unintended flags by the child process. + +Fixes #2153 +--- + shell/ev-application.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index 4cc20b9a..697aea7f 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -154,7 +154,7 @@ ev_spawn (const char *uri, + guint timestamp) + { + GString *cmd; +- gchar *path, *cmdline; ++ gchar *path, *cmdline, *quoted; + GAppInfo *app; + GError *error = NULL; + +@@ -179,18 +179,24 @@ ev_spawn (const char *uri, + /* Page label */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); + g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: ++ case EV_LINK_DEST_TYPE_NAMED: { ++ quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); + g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -198,7 +204,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ +-- +2.52.0 + diff --git a/evince.spec b/evince.spec index aa7294b..7e5f047 100644 --- a/evince.spec +++ b/evince.spec @@ -5,7 +5,7 @@ Name: evince Version: 3.28.4 -Release: 16%{?dist} +Release: 17%{?dist} Summary: Document viewer License: GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse @@ -47,6 +47,10 @@ Patch15: evince-3.28.4-Show-password-dialog-again.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2008310 Patch16: evince-3.28.4-handle-clicks-in-forms.patch +# https://issues.redhat.com/browse/RHEL-184039 +# https://github.com/GNOME/evince/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245 +Patch17: evince-3.28.4-CVE-2026-46529.patch + BuildRequires: pkgconfig(adwaita-icon-theme) BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib2_version} BuildRequires: pkgconfig(gnome-desktop-3.0) @@ -275,6 +279,10 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/evince.desktop %{_libdir}/mozilla/plugins/libevbrowserplugin.so %changelog +* Tue Jun 16 2026 RHEL Packaging Agent - 3.28.4-17 +- Fix CVE-2026-46529: quote string arguments passed to ev_spawn +- Resolves: RHEL-184039 + * Mon Oct 4 2021 Marek Kasik - 3.28.4-16 - Allow text entries to handle clicks - Resolves: #2008310