ELA-1049-1 evince security update

command injection

2024-02-29
Packageevince
Version3.22.1-3+deb9u3 (stretch)
Related CVEs CVE-2023-51698


A security vulnerability was found in Evince, a document viewer, which may grant an attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT (comic book archive) document which is a TAR archive. The comic book backend of Evince uses libarchive now, which handles CBT and other comic book archives correctly.



For Debian 9 stretch, these problems have been fixed in version 3.22.1-3+deb9u3.

We recommend that you upgrade your evince packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.