Bug#1139874: current atril version in Trixie (1.26.2-4) is vulnerable to CVE-2026-46529

Piotr Morgwai Kotarbinski Fri, 12 Jun 2026 14:56:02 -0700

Package: atril
Version: 1.26.2-4
Severity: important
Tags: security
X-Debbugs-Cc: Andreas Henriksson <[email protected]>, [email protected], Debian 
Security Team <[email protected]>


Per https://security-tracker.debian.org/tracker/CVE-2026-46529 `atril` version
in Trixie (1.26.2-4) is vulnerable. This bug is easily exploitable and viewing
PDFs is a very common task that almost everyone performs at least semi-
regularly.

Andreas Henriksson (CCed) kindly provided all necessary changes at
https://salsa.debian.org/ah/atril/-/tree/debian/trixie so as I understand all
that is necessary is for someone from security team to review and publish it.


-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 7.0.10+tbfive1-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages atril depends on:
ii  atril-common                           1.26.2-4
ii  dconf-gsettings-backend [gsettings-ba  0.40.0-5
    ckend]
ii  libatk1.0-0t64                         2.56.2-1+deb13u1
ii  libatrildocument3t64                   1.26.2-4
ii  libatrilview3t64                       1.26.2-4
ii  libc6                                  2.41-12+deb13u3
ii  libcaja-extension1                     1.26.4-1
ii  libgdk-pixbuf-2.0-0                    2.42.12+dfsg-4+deb13u1
ii  libglib2.0-0t64                        2.84.4-3~deb13u3
ii  libgtk-3-0t64                          3.24.49-3
ii  libice6                                2:1.1.1-1
ii  libsecret-1-0                          0.21.7-1
ii  libsm6                                 2:1.2.6-1
ii  libxml2                                2.12.7+dfsg+really2.9.14-2.1+deb13u2
ii  shared-mime-info                       2.4-5+b2

Versions of packages atril recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.16.2-2
ii  dbus-x11 [dbus-session-bus]                   1.16.2-2
ii  gvfs                                          1.57.2-2+deb13u1

Versions of packages atril suggests:
ii  caja          1.26.4-1
ii  poppler-data  0.4.12-1

-- no debconf information

Bug#1139874: current atril version in Trixie (1.26.2-4) is vulnerable to CVE-2026-46529

Reply via email to