diff --git a/SOURCES/evince-40.5-CVE-2026-46529.patch b/SOURCES/evince-40.5-CVE-2026-46529.patch new file mode 100644 index 0000000..629513b --- /dev/null +++ b/SOURCES/evince-40.5-CVE-2026-46529.patch @@ -0,0 +1,68 @@ +From 970c219e861a5fcc3e7b9e05bedf18cf0de39245 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= +Date: Mon, 18 May 2026 16:25:13 -0400 +Subject: [PATCH] shell: quote strings in arguments used when calling ev_spawn + +When spawning a new instance, it is good practice to sanitize the +arguments given to Evince, as those arguments may come from an +untrusted source. We want to avoid those values could become +unintended flags by the child process. + +Fixes #2153 +--- + shell/ev-application.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/shell/ev-application.c b/shell/ev-application.c +index 001d21438..e35a5ef5f 100644 +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -155,7 +155,7 @@ ev_spawn (const char *uri, + guint timestamp) + { + GString *cmd; +- gchar *path, *cmdline; ++ gchar *path, *cmdline, *quoted; + GAppInfo *app; + GError *error = NULL; + +@@ -180,18 +180,24 @@ ev_spawn (const char *uri, + /* Page label */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); + g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: ++ case EV_LINK_DEST_TYPE_NAMED: { ++ quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); + g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -199,7 +205,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */ diff --git a/SPECS/evince.spec b/SPECS/evince.spec index 1c3623a..d60ad05 100644 --- a/SPECS/evince.spec +++ b/SPECS/evince.spec @@ -4,7 +4,7 @@ Name: evince Version: 40.5 -Release: 4%{?dist} +Release: 4%{?dist}.1 Summary: Document viewer License: GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse @@ -21,6 +21,9 @@ Patch2: evince-40.4-quit-shortcut.patch Patch3: evince-40.5-launch-pdfs.patch Patch4: evince-40.5-launch-event.patch +# https://redhat.atlassian.net/browse/RHEL-184047 +Patch5: evince-40.5-CVE-2026-46529.patch + BuildRequires: gcc-c++ BuildRequires: gcc BuildRequires: gettext-devel @@ -273,6 +276,10 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/org.gnome.Evince-p %{_mandir}/man1/evince-previewer.1* %changelog +* Tue Jun 16 2026 Marek Kasik - 40.5-4.el9_8.1 +- Sanitize arguments (CVE-2026-46529) +- Resolves: RHEL-184047 + * Fri May 30 2025 Marek Kasik - 40.5-4 - Fix a leak - Resolves: RHEL-84038