CVE-2023-51698

NameCVE-2023-51698
DescriptionAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-1049-1
Debian Bugs1060751

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
atril (PTS)jessie, jessie (lts)1.8.1+dfsg1-4+deb8u2vulnerable
stretch1.16.1-2+deb9u2vulnerable
stretch (security), stretch (lts)1.16.1-2+deb9u1vulnerable
buster1.20.3-1+deb10u1vulnerable
bullseye1.24.0-1vulnerable
bookworm1.26.0-2+deb12u2fixed
trixie1.26.2-1fixed
sid1.26.2-3fixed
evince (PTS)jessie, jessie (lts)3.14.1-2+deb8u3vulnerable
stretch (security)3.22.1-3+deb9u2vulnerable
stretch (lts), stretch3.22.1-3+deb9u3fixed
buster, buster (security)3.30.2-3+deb10u1fixed
bullseye3.38.2-1fixed
bookworm43.1-2fixed
trixie45.0-1fixed
sid46.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
atrilsourcejessie(unfixed)end-of-life
atrilsourcestretch(unfixed)end-of-life
atrilsourcebookworm1.26.0-2+deb12u2
atrilsource(unstable)1.26.1-41060751
evincesourcejessie(unfixed)end-of-life
evincesourcestretch3.22.1-3+deb9u3ELA-1049-1
evincesource(unstable)3.25.92-1

Notes

[bullseye] - atril <no-dsa> (Minor issue)
https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
Fixed by: https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
Fixed by: https://gitlab.gnome.org/GNOME/evince/commit/7b5ad18399b04cbfce02730d28baf30e9fc35b58 (3.25.4)
Search for package or bug name: Reporting problems