Evince PDF Viewer Flaw Allows Arbitrary Code Execution via Crafted Files

A command-line injection vulnerability has been discovered in Evince, the default PDF viewer for GNOME-based Linux distributions. The flaw exists in how Evince processes PDF /GoToR (remote action) directives, which are used to navigate to external resources or execute actions when users interact with PDF links.

Attackers can exploit this vulnerability by embedding malicious /GoToR actions in specially crafted PDF files. When a user opens such a file in Evince, the application fails to properly sanitize arguments passed to system commands, enabling arbitrary code execution with the privileges of the user running Evince.

Ubuntu has released security update USN-8295-1 to patch this vulnerability across affected releases. Users should apply this update promptly, particularly those who regularly handle PDF documents from untrusted sources.

Technical Details of the Vulnerability

• The flaw involves improper sanitization of command-line arguments within PDF /GoToR action handlers
• Attackers leverage this to inject arbitrary commands that execute when PDF links are activated
• The vulnerability requires user interaction—opening a malicious PDF and potentially clicking a crafted link
• Code execution occurs in the context of the user running Evince, limiting but not eliminating impact severity

Mitigation and Recommendations

• Apply Ubuntu security update USN-8295-1 immediately to all affected systems
• Exercise caution when opening PDF files from untrusted or unexpected sources
• Consider disabling automatic execution of /GoToR actions in Evince settings if available
• Monitor systems for suspicious process execution originating from Evince
• Educate users about the risks of opening PDFs from unverified senders

Sources

• USN-8295-1: Evince vulnerability