Version in base suite: 43.1-2 Base version: evince_43.1-2 Target version: evince_43.1-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/evince/evince_43.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/evince/evince_43.1-2+deb12u1.dsc changelog | 8 + patches/series | 1 patches/shell-quote-strings-in-arguments-used-when-calling-e.patch | 67 ++++++++++ 3 files changed, 76 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmvkvbkm9/evince_43.1-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmvkvbkm9/evince_43.1-2+deb12u1.dsc: no acceptable signature found diff -Nru evince-43.1/debian/changelog evince-43.1/debian/changelog --- evince-43.1/debian/changelog 2022-12-07 10:20:50.000000000 +0000 +++ evince-43.1/debian/changelog 2026-05-20 08:53:39.000000000 +0000 @@ -1,3 +1,11 @@ +evince (43.1-2+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * shell: quote strings in arguments used when calling ev_spawn + (CVE-2026-46529) + + -- Salvatore Bonaccorso Wed, 20 May 2026 10:53:39 +0200 + evince (43.1-2) unstable; urgency=medium [ Andrej Shadura ] diff -Nru evince-43.1/debian/patches/series evince-43.1/debian/patches/series --- evince-43.1/debian/patches/series 2022-12-07 10:20:50.000000000 +0000 +++ evince-43.1/debian/patches/series 2026-05-20 08:52:51.000000000 +0000 @@ -0,0 +1 @@ +shell-quote-strings-in-arguments-used-when-calling-e.patch diff -Nru evince-43.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch evince-43.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch --- evince-43.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch 1970-01-01 00:00:00.000000000 +0000 +++ evince-43.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch 2026-05-20 08:53:16.000000000 +0000 @@ -0,0 +1,67 @@ +From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= +Date: Mon, 18 May 2026 16:25:13 -0400 +Subject: shell: quote strings in arguments used when calling ev_spawn +Origin: https://gitlab.gnome.org/GNOME/evince/-/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-46529 + +When spawning a new instance, it is good practice to sanitize the +arguments given to Evince, as those arguments may come from an +untrusted source. We want to avoid those values could become +unintended flags by the child process. + +Fixes #2153 +--- + shell/ev-application.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/shell/ev-application.c ++++ b/shell/ev-application.c +@@ -155,7 +155,7 @@ ev_spawn (const char *uri, + guint timestamp) + { + GString *cmd; +- gchar *path, *cmdline; ++ gchar *path, *cmdline, *quoted; + GAppInfo *app; + GError *error = NULL; + +@@ -180,18 +180,24 @@ ev_spawn (const char *uri, + /* Page label */ + if (dest) { + switch (ev_link_dest_get_dest_type (dest)) { +- case EV_LINK_DEST_TYPE_PAGE_LABEL: ++ case EV_LINK_DEST_TYPE_PAGE_LABEL: { ++ quoted = g_shell_quote (ev_link_dest_get_page_label (dest)); + g_string_append_printf (cmd, " --page-label=%s", +- ev_link_dest_get_page_label (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + case EV_LINK_DEST_TYPE_PAGE: + g_string_append_printf (cmd, " --page-index=%d", + ev_link_dest_get_page (dest) + 1); + break; +- case EV_LINK_DEST_TYPE_NAMED: ++ case EV_LINK_DEST_TYPE_NAMED: { ++ quoted = g_shell_quote (ev_link_dest_get_named_dest (dest)); + g_string_append_printf (cmd, " --named-dest=%s", +- ev_link_dest_get_named_dest (dest)); ++ quoted); ++ g_free (quoted); + break; ++ } + default: + break; + } +@@ -199,7 +205,9 @@ ev_spawn (const char *uri, + + /* Find string */ + if (search_string) { +- g_string_append_printf (cmd, " --find=%s", search_string); ++ quoted = g_shell_quote (search_string); ++ g_string_append_printf (cmd, " --find=%s", quoted); ++ g_free (quoted); + } + + /* Mode */