Version in base suite: 48.1-3

Base version: evince_48.1-3
Target version: evince_48.1-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/evince/evince_48.1-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/e/evince/evince_48.1-3+deb13u1.dsc

 changelog                                                          |    8 +
 patches/series                                                     |    1 
 patches/shell-quote-strings-in-arguments-used-when-calling-e.patch |   75 ++++++++++
 3 files changed, 84 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphpv9cv45/evince_48.1-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphpv9cv45/evince_48.1-3+deb13u1.dsc: no acceptable signature found
diff: /srv/release.debian.org/tmp/NvCt_8uEej/evince-48.1/data/icons/hicolor: recursive directory loop
diff -Nru evince-48.1/debian/changelog evince-48.1/debian/changelog
--- evince-48.1/debian/changelog	2025-07-25 16:53:19.000000000 +0000
+++ evince-48.1/debian/changelog	2026-05-20 08:50:27.000000000 +0000
@@ -1,3 +1,11 @@
+evince (48.1-3+deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * shell: quote strings in arguments used when calling ev_spawn
+    (CVE-2026-46529)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 20 May 2026 10:50:27 +0200
+
 evince (48.1-3) unstable; urgency=medium
 
   * Team upload
diff -Nru evince-48.1/debian/patches/series evince-48.1/debian/patches/series
--- evince-48.1/debian/patches/series	2025-07-25 16:53:19.000000000 +0000
+++ evince-48.1/debian/patches/series	2026-05-20 08:48:45.000000000 +0000
@@ -3,3 +3,4 @@
 po-Fix-xml-element-in-Hindi-translation.patch
 libview-Fix-crash-in-the-accessible-code-when-page-cache-.patch
 EvWindow-fix-launching-fullscreen-actions-from-popover.patch
+shell-quote-strings-in-arguments-used-when-calling-e.patch
diff -Nru evince-48.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch evince-48.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch
--- evince-48.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch	1970-01-01 00:00:00.000000000 +0000
+++ evince-48.1/debian/patches/shell-quote-strings-in-arguments-used-when-calling-e.patch	2026-05-20 08:49:18.000000000 +0000
@@ -0,0 +1,75 @@
+From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= <gpoo@gnome.org>
+Date: Mon, 18 May 2026 16:25:13 -0400
+Subject: shell: quote strings in arguments used when calling ev_spawn
+Origin: https://gitlab.gnome.org/GNOME/evince/-/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-46529
+
+When spawning a new instance, it is good practice to sanitize the
+arguments given to Evince, as those arguments may come from an
+untrusted source. We want to avoid those values could become
+unintended flags by the child process.
+
+Fixes #2153
+---
+ shell/ev-application.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/shell/ev-application.c b/shell/ev-application.c
+index 001d214389aa..e35a5ef5f14b 100644
+--- a/shell/ev-application.c
++++ b/shell/ev-application.c
+@@ -154,7 +154,7 @@ ev_spawn (const char     *uri,
+ 	  guint           timestamp)
+ {
+ 	GString *cmd;
+-	gchar *path, *cmdline;
++	gchar *path, *cmdline, *quoted;
+ 	GAppInfo *app;
+ 	GError  *error = NULL;
+
+@@ -179,10 +179,13 @@ ev_spawn (const char     *uri,
+ 	/* Page label */
+ 	if (dest) {
+                 switch (ev_link_dest_get_dest_type (dest)) {
+-                case EV_LINK_DEST_TYPE_PAGE_LABEL:
++                case EV_LINK_DEST_TYPE_PAGE_LABEL: {
++                        quoted = g_shell_quote (ev_link_dest_get_page_label (dest));
+                         g_string_append_printf (cmd, " --page-label=%s",
+-                                                ev_link_dest_get_page_label (dest));
++                                                quoted);
++                        g_free (quoted);
+                         break;
++                     }
+                 case EV_LINK_DEST_TYPE_PAGE:
+                 case EV_LINK_DEST_TYPE_XYZ:
+                 case EV_LINK_DEST_TYPE_FIT:
+@@ -192,10 +195,13 @@ ev_spawn (const char     *uri,
+                         g_string_append_printf (cmd, " --page-index=%d",
+                                                 ev_link_dest_get_page (dest) + 1);
+                         break;
+-                case EV_LINK_DEST_TYPE_NAMED:
++                case EV_LINK_DEST_TYPE_NAMED: {
++                        quoted = g_shell_quote (ev_link_dest_get_named_dest (dest));
+                         g_string_append_printf (cmd, " --named-dest=%s",
+-                                                ev_link_dest_get_named_dest (dest));
++                                                quoted);
++                        g_free (quoted);
+                         break;
++                     }
+                 default:
+                         break;
+                 }
+@@ -203,7 +209,9 @@ ev_spawn (const char     *uri,
+
+ 	/* Find string */
+ 	if (search_string) {
+-		g_string_append_printf (cmd, " --find=%s", search_string);
++		quoted = g_shell_quote (search_string);
++		g_string_append_printf (cmd, " --find=%s", quoted);
++		g_free (quoted);
+ 	}
+
+ 	/* Mode */
+--
+2.53.0
+