evince-3.28.4-17.el8_10.ML.1

エラータID: AXSA:2026-1137:01

Release date: 
Wednesday, July 1, 2026 - 09:39
Subject: 
evince-3.28.4-17.el8_10.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The evince packages provide a simple multi-page document viewer for Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS) files, and, with additional back-ends, also the Device Independent File format (DVI) files.

Security Fix(es):

* atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen (CVE-2026-46529)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-46529
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. evince-3.28.4-17.el8_10.ML.1.src.rpm
    MD5: 292f8bf25ef7009958ebe54dea0e7d04
    SHA-256: 268420ac366bd116e04b028061cfa26f741140619ceef9910d0b97a501a29ffa
    Size: 2.15 MB

Asianux Server 8 for x86_64
  1. evince-3.28.4-17.el8_10.ML.1.x86_64.rpm
    MD5: b714625f353b95f0ba503cdb946ab084
    SHA-256: 62e4248f9a35ddf8451b20f86db2f8a8ac4d4b4c650ec678f5fa36794d2fcbb9
    Size: 1.61 MB
  2. evince-browser-plugin-3.28.4-17.el8_10.ML.1.x86_64.rpm
    MD5: 79693540043749640c6e709717766b22
    SHA-256: 8f9c1964fe3551987383a8467bca194e8c167c1e6a2bb18ea196f2d7cdeb9d2a
    Size: 68.77 kB
  3. evince-devel-3.28.4-17.el8_10.ML.1.i686.rpm
    MD5: 0e3b9c9b4ad55d4e970d0086c752904d
    SHA-256: 7a3b5f4e19c5cba5a453244718ebd4cc24b80cb7f5f74d1e020127e9de3f6178
    Size: 148.70 kB
  4. evince-devel-3.28.4-17.el8_10.ML.1.x86_64.rpm
    MD5: 1f5b599caf22104ea72e8f3ed9a886b3
    SHA-256: 7bfc6b6fae0b86931dc5a5b33047ee3161be69daff58048d3b4cfc50079bf954
    Size: 148.68 kB
  5. evince-libs-3.28.4-17.el8_10.ML.1.i686.rpm
    MD5: 3bf567bf9ca6ae93a8d1cc2428724a91
    SHA-256: e52b95fc5532384699ad37ed23520c37c69404f7b0f74bfda05232eff8c2df26
    Size: 430.41 kB
  6. evince-libs-3.28.4-17.el8_10.ML.1.x86_64.rpm
    MD5: c4242159f517318f14137acffd59fbe8
    SHA-256: 84bce6b2914ef34620159d55b7b9a0623570315c13de92eed0e5a3e81a55582d
    Size: 399.39 kB
  7. evince-nautilus-3.28.4-17.el8_10.ML.1.x86_64.rpm
    MD5: 0ef2f3ca7fcbfe6284354419efc056b1
    SHA-256: 8faaf5ee6b2503ff30d69699fff202f94a9e43bf971976828ce7d6788c5adb32
    Size: 48.91 kB