SOURCES/evince-3.28.4-CVE-2026-46529.patch

@@ -1,71 +0,0 @@
-From 2be95d23fcba59a45c594dcb8c48cf77eea91eb4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= <gpoo@gnome.org>
-Date: Mon, 18 May 2026 16:25:13 -0400
-Subject: [PATCH] shell: quote strings in arguments used when calling ev_spawn
-
-When spawning a new instance, it is good practice to sanitize the
-arguments given to Evince, as those arguments may come from an
-untrusted source. We want to avoid those values could become
-unintended flags by the child process.
-
-Fixes #2153
----
- shell/ev-application.c | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/shell/ev-application.c b/shell/ev-application.c
-index 4cc20b9a..697aea7f 100644
---- a/shell/ev-application.c
-+++ b/shell/ev-application.c
-@@ -154,7 +154,7 @@ ev_spawn (const char     *uri,
- 	  guint           timestamp)
- {
- 	GString *cmd;
--	gchar *path, *cmdline;
-+	gchar *path, *cmdline, *quoted;
- 	GAppInfo *app;
- 	GError  *error = NULL;
- 
-@@ -179,18 +179,24 @@ ev_spawn (const char     *uri,
- 	/* Page label */
- 	if (dest) {
-                 switch (ev_link_dest_get_dest_type (dest)) {
--                case EV_LINK_DEST_TYPE_PAGE_LABEL:
-+                case EV_LINK_DEST_TYPE_PAGE_LABEL: {
-+                        quoted = g_shell_quote (ev_link_dest_get_page_label (dest));
-                         g_string_append_printf (cmd, " --page-label=%s",
--                                                ev_link_dest_get_page_label (dest));
-+                                                quoted);
-+                        g_free (quoted);
-                         break;
-+                     }
-                 case EV_LINK_DEST_TYPE_PAGE:
-                         g_string_append_printf (cmd, " --page-index=%d",
-                                                 ev_link_dest_get_page (dest) + 1);
-                         break;
--                case EV_LINK_DEST_TYPE_NAMED:
-+                case EV_LINK_DEST_TYPE_NAMED: {
-+                        quoted = g_shell_quote (ev_link_dest_get_named_dest (dest));
-                         g_string_append_printf (cmd, " --named-dest=%s",
--                                                ev_link_dest_get_named_dest (dest));
-+                                                quoted);
-+                        g_free (quoted);
-                         break;
-+                     }
-                 default:
-                         break;
-                 }
-@@ -198,7 +204,9 @@ ev_spawn (const char     *uri,
- 
- 	/* Find string */
- 	if (search_string) {
--		g_string_append_printf (cmd, " --find=%s", search_string);
-+		quoted = g_shell_quote (search_string);
-+		g_string_append_printf (cmd, " --find=%s", quoted);
-+		g_free (quoted);
- 	}
- 
- 	/* Mode */
--- 
-2.52.0
-

SPECS/evince.spec

@@ -5,7 +5,7 @@
 
 Name:           evince
 Version:        3.28.4
-Release:        17%{?dist}
+Release:        16%{?dist}
 Summary:        Document viewer
 
 License:        GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse
@@ -47,10 +47,6 @@ Patch15:        evince-3.28.4-Show-password-dialog-again.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2008310
 Patch16:        evince-3.28.4-handle-clicks-in-forms.patch
 
-# https://issues.redhat.com/browse/RHEL-184039
-# https://github.com/GNOME/evince/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245
-Patch17:        evince-3.28.4-CVE-2026-46529.patch
-
 BuildRequires:  pkgconfig(adwaita-icon-theme)
 BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib2_version}
 BuildRequires:  pkgconfig(gnome-desktop-3.0)
@@ -279,10 +275,6 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/evince.desktop
 %{_libdir}/mozilla/plugins/libevbrowserplugin.so
 
 %changelog
-* Tue Jun 16 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.28.4-17
-- Fix CVE-2026-46529: quote string arguments passed to ev_spawn
-- Resolves: RHEL-184039
-
 * Mon Oct  4 2021 Marek Kasik <mkasik@redhat.com> - 3.28.4-16
 - Allow text entries to handle clicks
 - Resolves: #2008310