evince-3.28.4-17.el8_10.ML.1
エラータID: AXSA:2026-1137:01
The evince packages provide a simple multi-page document viewer for Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS) files, and, with additional back-ends, also the Device Independent File format (DVI) files.
Security Fix(es):
* atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen (CVE-2026-46529)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-46529
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Update packages.
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
N/A
SRPMS
- evince-3.28.4-17.el8_10.ML.1.src.rpm
MD5: 292f8bf25ef7009958ebe54dea0e7d04
SHA-256: 268420ac366bd116e04b028061cfa26f741140619ceef9910d0b97a501a29ffa
Size: 2.15 MB
Asianux Server 8 for x86_64
- evince-3.28.4-17.el8_10.ML.1.x86_64.rpm
MD5: b714625f353b95f0ba503cdb946ab084
SHA-256: 62e4248f9a35ddf8451b20f86db2f8a8ac4d4b4c650ec678f5fa36794d2fcbb9
Size: 1.61 MB - evince-browser-plugin-3.28.4-17.el8_10.ML.1.x86_64.rpm
MD5: 79693540043749640c6e709717766b22
SHA-256: 8f9c1964fe3551987383a8467bca194e8c167c1e6a2bb18ea196f2d7cdeb9d2a
Size: 68.77 kB - evince-devel-3.28.4-17.el8_10.ML.1.i686.rpm
MD5: 0e3b9c9b4ad55d4e970d0086c752904d
SHA-256: 7a3b5f4e19c5cba5a453244718ebd4cc24b80cb7f5f74d1e020127e9de3f6178
Size: 148.70 kB - evince-devel-3.28.4-17.el8_10.ML.1.x86_64.rpm
MD5: 1f5b599caf22104ea72e8f3ed9a886b3
SHA-256: 7bfc6b6fae0b86931dc5a5b33047ee3161be69daff58048d3b4cfc50079bf954
Size: 148.68 kB - evince-libs-3.28.4-17.el8_10.ML.1.i686.rpm
MD5: 3bf567bf9ca6ae93a8d1cc2428724a91
SHA-256: e52b95fc5532384699ad37ed23520c37c69404f7b0f74bfda05232eff8c2df26
Size: 430.41 kB - evince-libs-3.28.4-17.el8_10.ML.1.x86_64.rpm
MD5: c4242159f517318f14137acffd59fbe8
SHA-256: 84bce6b2914ef34620159d55b7b9a0623570315c13de92eed0e5a3e81a55582d
Size: 399.39 kB - evince-nautilus-3.28.4-17.el8_10.ML.1.x86_64.rpm
MD5: 0ef2f3ca7fcbfe6284354419efc056b1
SHA-256: 8faaf5ee6b2503ff30d69699fff202f94a9e43bf971976828ce7d6788c5adb32
Size: 48.91 kB