Vulnerabilities in various GTK-based PDF readers

Michael Catanzaro has disclosed acommand-injection vulnerability affecting a number of GTK-based PDFreaders; exploits included:

They contain a script for building malicious polyglot PDFs that aresimultaneously both valid PDF files and also valid ELFbinaries. When the user opens the PDF in the PDF viewer and clickson a malicious link embedded in the PDF, the PDF abuses the commandinjection vulnerability to load itself as a GTK module using the`--gtk-module` command line flag. It can then execute arbitrarycode via its library constructor. That flag was removed in GTK 4,which is why the vulnerability is much less serious for Papers thanit is for Evince, Atril, and Xreader.