Version in base suite: 1.26.2-4

Base version: atril_1.26.2-4
Target version: atril_1.26.2-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/atril/atril_1.26.2-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/atril/atril_1.26.2-4+deb13u1.dsc

 changelog                    |    7 ++++
 patches/CVE-2026-46529.patch |   67 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 75 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpep7lb_3k/atril_1.26.2-4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpep7lb_3k/atril_1.26.2-4+deb13u1.dsc: no acceptable signature found
diff -Nru atril-1.26.2/debian/changelog atril-1.26.2/debian/changelog
--- atril-1.26.2/debian/changelog	2025-01-06 14:32:43.000000000 +0000
+++ atril-1.26.2/debian/changelog	2026-06-16 07:16:44.000000000 +0000
@@ -1,3 +1,10 @@
+atril (1.26.2-4+deb13u1) trixie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2026-46529: command line argument injection (Closes: #1139874)
+
+ -- Andreas Henriksson <andreas@fatal.se>  Tue, 16 Jun 2026 09:16:44 +0200
+
 atril (1.26.2-4) unstable; urgency=medium
 
   * debian/patches:
diff -Nru atril-1.26.2/debian/patches/CVE-2026-46529.patch atril-1.26.2/debian/patches/CVE-2026-46529.patch
--- atril-1.26.2/debian/patches/CVE-2026-46529.patch	1970-01-01 00:00:00.000000000 +0000
+++ atril-1.26.2/debian/patches/CVE-2026-46529.patch	2026-05-27 07:50:33.000000000 +0000
@@ -0,0 +1,67 @@
+From b989b7922a454ed81f8bb14786a958828513f576 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Thu, 14 May 2026 20:56:31 -0400
+Subject: [PATCH] ev-application: Quote user-supplied strings in ev_spawn
+ command line
+
+When spawning a new atril instance for cross-document links, the
+destination and search parameters from the document were interpolated
+directly into the command line without shell quoting. Values containing
+spaces or special characters could be split into separate arguments by
+the shell parser, potentially being interpreted as unintended flags by
+the child process.
+
+Apply shell quoting to page label, named destination, and search string
+values before appending them to the command line, consistent with how
+other spawn sites in the codebase already handle this.
+---
+ shell/ev-application.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+Originally downloaded from:
+https://github.com/mate-desktop/atril/commit/b989b7922a454ed81f8bb14786a958828513f576.patch
+
+diff --git a/shell/ev-application.c b/shell/ev-application.c
+index 57f1b9225..37d35eaa7 100644
+--- a/shell/ev-application.c
++++ b/shell/ev-application.c
+@@ -221,18 +221,22 @@ ev_spawn (const char     *uri,
+ 	/* Page label or index */
+ 	if (dest) {
+ 		switch (ev_link_dest_get_dest_type (dest)) {
+-		case EV_LINK_DEST_TYPE_PAGE_LABEL:
+-			g_string_append_printf (cmd, " --page-label=%s",
+-			                        ev_link_dest_get_page_label (dest));
++		case EV_LINK_DEST_TYPE_PAGE_LABEL: {
++			gchar *quoted = g_shell_quote (ev_link_dest_get_page_label (dest));
++			g_string_append_printf (cmd, " --page-label=%s", quoted);
++			g_free (quoted);
+ 			break;
++		}
+ 		case EV_LINK_DEST_TYPE_PAGE:
+ 			g_string_append_printf (cmd, " --page-index=%d",
+ 			                        ev_link_dest_get_page (dest) + 1);
+ 			break;
+-		case EV_LINK_DEST_TYPE_NAMED:
+-		g_string_append_printf (cmd, " --named-dest=%s",
+-			                    ev_link_dest_get_named_dest (dest));
++		case EV_LINK_DEST_TYPE_NAMED: {
++			gchar *quoted = g_shell_quote (ev_link_dest_get_named_dest (dest));
++			g_string_append_printf (cmd, " --named-dest=%s", quoted);
++			g_free (quoted);
+ 			break;
++		}
+ 		default:
+ 			break;
+ 		}
+@@ -240,7 +244,9 @@ ev_spawn (const char     *uri,
+ 
+ 	/* Find string */
+ 	if (search_string) {
+-		g_string_append_printf (cmd, " --find=%s", search_string);
++		gchar *quoted = g_shell_quote (search_string);
++		g_string_append_printf (cmd, " --find=%s", quoted);
++		g_free (quoted);
+ 	}
+ 
+ 	/* Mode */
diff -Nru atril-1.26.2/debian/patches/series atril-1.26.2/debian/patches/series
--- atril-1.26.2/debian/patches/series	2024-12-27 08:15:56.000000000 +0000
+++ atril-1.26.2/debian/patches/series	2026-06-16 07:16:33.000000000 +0000
@@ -1,3 +1,4 @@
 1002-avoid-crash-on-certain-epub-files.patch
 0001_fix-incompat-pointer-type.patch
 0002_simplify-array-iteration.patch
+CVE-2026-46529.patch