ALAS2023-2026-1782

CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing quoting of shell-like input in ev_spawn() in ev-application.c. (CVE-2026-46529)

An unsoundness issue (RUSTSEC-2026-0097) was also found in the bundled Rust rand crate. ThreadRng methods use unsafe code that can create aliased mutable references when a custom logger accesses rand::rng() or rand::thread_rng() during reseeding, resulting in undefined behavior.

aarch64:
    papers-debuginfo-47.0-12.amzn2023.aarch64
    papers-previewer-47.0-12.amzn2023.aarch64
    papers-libs-47.0-12.amzn2023.aarch64
    papers-previewer-debuginfo-47.0-12.amzn2023.aarch64
    papers-libs-debuginfo-47.0-12.amzn2023.aarch64
    papers-thumbnailer-47.0-12.amzn2023.aarch64
    papers-nautilus-debuginfo-47.0-12.amzn2023.aarch64
    papers-thumbnailer-debuginfo-47.0-12.amzn2023.aarch64
    papers-nautilus-47.0-12.amzn2023.aarch64
    papers-devel-47.0-12.amzn2023.aarch64
    papers-debugsource-47.0-12.amzn2023.aarch64
    papers-47.0-12.amzn2023.aarch64

src:
    papers-47.0-12.amzn2023.src

x86_64:
    papers-debuginfo-47.0-12.amzn2023.x86_64
    papers-previewer-47.0-12.amzn2023.x86_64
    papers-previewer-debuginfo-47.0-12.amzn2023.x86_64
    papers-nautilus-debuginfo-47.0-12.amzn2023.x86_64
    papers-thumbnailer-debuginfo-47.0-12.amzn2023.x86_64
    papers-libs-debuginfo-47.0-12.amzn2023.x86_64
    papers-thumbnailer-47.0-12.amzn2023.x86_64
    papers-nautilus-47.0-12.amzn2023.x86_64
    papers-devel-47.0-12.amzn2023.x86_64
    papers-libs-47.0-12.amzn2023.x86_64
    papers-debugsource-47.0-12.amzn2023.x86_64
    papers-47.0-12.amzn2023.x86_64