Fabre

#1139874 atril: CVE-2026-4652 in Trixie #1139874

Package:: atril

Source:: atril

Description:: MATE document viewer

Submitter:: Piotr Morgwai Kotarbinski

Date:: 2026-06-19 17:19:01 UTC

Severity:: normal

Tags:

#1139874#5

Date:: 2026-06-12 21:52:34 UTC

From:

To:

Per https://security-tracker.debian.org/tracker/CVE-2026-46529 `atril` version
in Trixie (1.26.2-4) is vulnerable. This bug is easily exploitable and viewing
PDFs is a very common task that almost everyone performs at least semi-
regularly.

Andreas Henriksson (CCed) kindly provided all necessary changes at
https://salsa.debian.org/ah/atril/-/tree/debian/trixie so as I understand all
that is necessary is for someone from security team to review and publish it.

#1139874#22

Date:: 2026-06-12 23:14:47 UTC

From:

To:

We are all aware that this bug is fixed in testing, unstable and even Bullseye. Unfortunately, this does not help users of Trixie, the current stable, in any way. This was reflected in the original title of this bug. Please kindly don't mark this bug as done until a fix is released to Trixie.

Many thanks!

#1139874#33

Date:: 2026-06-16 20:47:25 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated atril package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 16 Jun 2026 08:29:50 +0200
Source: atril
Architecture: source
Version: 1.26.0-2+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1139874
Changes:
 atril (1.26.0-2+deb12u4) bookworm-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2026-46529: command line argument injection (Closes: #1139874)
Checksums-Sha1:
 94fc19d0d65d7165e21224a31555e8370d83fb62 3114 atril_1.26.0-2+deb12u4.dsc
 9a124d7396c5a9a16fdd082cf58737d00cd1ac6e 1370712 atril_1.26.0.orig.tar.xz
 38c14f2c4573dd2f4b3b5e7bf6e99cadc6993a43 45588 atril_1.26.0-2+deb12u4.debian.tar.xz
 4f77bbaec9f9042399ae3c3b3812892ac5c1194a 9736 atril_1.26.0-2+deb12u4_source.buildinfo
Checksums-Sha256:
 0557595e355a4d2904fb16d585cc202a681258f41d59a5f89e4e6c51c0629012 3114 atril_1.26.0-2+deb12u4.dsc
 cb707c8c6821d8c45a7ca121e308ce06de64c99f1b010f4f348bd15555db625d 1370712 atril_1.26.0.orig.tar.xz
 b9f64b738c2a726e1eca3f4245101e7e90c1476a40ab5bfba55b8fa4f0f25eea 45588 atril_1.26.0-2+deb12u4.debian.tar.xz
 aa024f8fdb6a0f08c3c18bf6197d710fb93c3e220a3931a31e8a9d17db3f7606 9736 atril_1.26.0-2+deb12u4_source.buildinfo
Files:
 df264453a54e0da0040b03b6a9651fd9 3114 x11 optional atril_1.26.0-2+deb12u4.dsc
 b94ebf65e276a6666f35f91dbcafce4a 1370712 x11 optional atril_1.26.0.orig.tar.xz
 8d3e92e7c90465370baf577c36556a0c 45588 x11 optional atril_1.26.0-2+deb12u4.debian.tar.xz
 c90c87bce01ab57631a3afbf62e751ff 9736 x11 optional atril_1.26.0-2+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmow8B0ACgkQC8R9xk0T
Uwbo6A/+LoKYuuB7mWOJAciSibAg+kgwiyWF98YzbFmurWgLrsuFHOVpG+P/mxBZ
mesprD35XllCtYDneYCUwgv+uO/ujOG8JaDqBBzCht2WnD26PJjm3gh+yI7amek+
aUYe4cfLLIIndFLKDyAfBXjR7SdLvdjcXYaxzosg3wy3HNPLjY2V3Qisi6E+Mxlo
21aLu9+GK5MkUxh4S/3ywIW/+j2zrNbgE+GKjryd7bpaeCIymqBbfD8CvkDx898Y
zXC+xz1FFcZADSIaQ+ny3XAEs0bBEOZBkzI53Nad5oTrxryrzta5IfZsf6PSkUgh
q5V65nlrfuchiVsQo/bJuK0eqKrOmbMgYj5Pa6w1YHSUs0dU3o43aTTYuBotlNgA
VjUrPlhXPm0j7zTG+VeWJRUrcur0B3STVpRABST9lwxJsNMBNABbA+zxh+CzGBaq
hiCz4ddY0lgbqahPXs16PGj+RxwXcrRV6xhd/eJL5dodKNSg+VU9syMu2Sqj3StW
uW4h6SXH3cAfWTbm2WKPn9c4g/JHO6fyWxInYg9hSH5RWzSzPtPgn2i+FIin1Qc5
LTwrKuootocGWmd7oXBUUG5E6A9UB7QKopS+LkEQbYK43Y+TqLwmdXhBH5Rj0AIT
C7/uDfQ12Wc15Hys4H5lW3SfRNLGonw2ix8N9s74OSSEEwFNGgc=
=cIHG
-----END PGP SIGNATURE-----

#1139874#38

Date:: 2026-06-19 17:17:05 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
atril, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated atril package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 16 Jun 2026 09:16:44 +0200
Source: atril
Architecture: source
Version: 1.26.2-4+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1139874
Changes:
 atril (1.26.2-4+deb13u1) trixie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2026-46529: command line argument injection (Closes: #1139874)
Checksums-Sha1:
 ab93319f7a06d48f64b1b4ae49029544d9613f8f 3126 atril_1.26.2-4+deb13u1.dsc
 887b2af873ff3d5f1a6863a461fcba887c5459c1 1446416 atril_1.26.2.orig.tar.xz
 ab509abfd9539d1045d37722f9ba30be0839894f 22196 atril_1.26.2-4+deb13u1.debian.tar.xz
 82cefcb05f7687f850042d5b2ad3dcd4cb603269 9736 atril_1.26.2-4+deb13u1_source.buildinfo
Checksums-Sha256:
 b6ec337c9d585f9319946c010df031cd206536aae41c99158e9470447d79fb68 3126 atril_1.26.2-4+deb13u1.dsc
 e3638b52552ea7cd71db81602ffecd2d39b99eab46336eaec11b30e6f5b475af 1446416 atril_1.26.2.orig.tar.xz
 740b17f93cfebdd8b9692101fca023968be9136709ee6ee4554e02dabd32e22a 22196 atril_1.26.2-4+deb13u1.debian.tar.xz
 e725caa2032d6ee60daf65582f815d3f383c366ceb3afe21dae250707f815824 9736 atril_1.26.2-4+deb13u1_source.buildinfo
Files:
 c9ecf180ae08a4887fa2dcec0e81cc85 3126 x11 optional atril_1.26.2-4+deb13u1.dsc
 e020f5af934b90705bd69146c89f3577 1446416 x11 optional atril_1.26.2.orig.tar.xz
 08dc9712db0b6bc9cc0e96dbeb587f8c 22196 x11 optional atril_1.26.2-4+deb13u1.debian.tar.xz
 e75f86f6bd549b238f8207b7fab63065 9736 x11 optional atril_1.26.2-4+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmow+HwACgkQC8R9xk0T
Uwaqug//boEDdXNTevBDuXfCiQb/q/zJpgAD7naMU3UBQEaP6cgIw0rIZLS2Igs/
5LDzxweO6PtnJ/jzPGmzjeWaef3QEcUtZnPWHJgFjJ6DKXLdtaiIfEe/dHjv6NzX
tLep+L8TxptYWbU+U7dgzlrPTvQHkGqHrTKtVGgQ+WxLDv2O2ALlfTDEagV+ckII
Wk9rIkOvfKHnWwz6s3ihG9YxCj3hPyghNeOMVoPtYpsbsboFB4U/IXf43ymVUGCN
81bPjqa/6yv08g3DnqAeQ3RWYts7v/nH5omR9TIPYah2gj9F3ihIO/+l+sPuclNI
o+vPe4lN1MTK7/5Uh/b2XefzTdipR4WjPjFJ0veJnR66ZwQvarG1JVr1quvyKGmO
TRXbil992ODfU476csP+/hqyh0vDu6nnzri/XAjzTzhvC2elzGiNsXXxKbYVWSfh
vBZaf/63rE9aYGWJ5CX9UbJ04hRkYerFoQYFS/7PRIY9uA0UmfB04itI5XPXEdMX
QZ4teOVzE6Mas12cKl4Or9y1Vpbh4xoboMaAkxmYR0kSW6DpYQJ9JBD0zTqMl4ng
TKyc01eTwApNfIyTSKq/nDMoxAqeEqhNYv7f7hXSYHFm5jOEGR8E1jbFj3cTKUdB
zJEb71NZ3majQcLE8ZAPuoiER1E3ZxjYIkF+7yNdgB+DGfXOsJE=
=x9eS
-----END PGP SIGNATURE-----

#1139874 atril: CVE-2026-4652 in Trixie #1139874

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)