Your message dated Fri, 25 Jul 2025 19:34:22 +0000
with message-id <[email protected]>
and subject line Bug#1109826: fixed in evince 48.1-3
has caused the Debian Bug report #1109826,
regarding evince: print preview doesn't work if the papers package is
installed: apparmor="DENIED" name="/usr/bin/papers-previewer"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109826
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: evince
Version: 48.1-2
Severity: normal
Control: affects -1 + papers apparmor gtk+3.0
X-Debbugs-Cc: Alessandro Astone <[email protected]>,
[email protected], [email protected],
[email protected]
Steps to reproduce
==================
1. Install system, originally from
debian-trixie-DI-rc2-amd64-netinst.iso, with task-gnome-desktop.
Upgrade all packages to their latest versions from Debian trixie.
2. As root: apt install papers
3. In a terminal, as root or a member of adm: journalctl -f
4. In another terminal: evince /usr/share/doc/shared-mime-info/*.pdf
(probably any PDF would do, but this one is convenient)
5. Open evince's main menu (3 horizontal lines / "hamburger menu")
6. Click on the printer icon
7. Observe GTK printing dialog, with buttons in its headerbar as
follows:
|[Cancel] Print [Preview] [Print]|
8. Click on [Preview]
Expected result
===============
A second window appears with a print preview, either provided by evince
(/usr/share/applications/org.gnome.Evince-previewer.desktop,
"evince-previewer" executable) or provided by papers
(/usr/share/applications/org.gnome.Papers-previewer.desktop,
"papers-previewer" executable) or any similar previewer. The evince
window remains open.
Note in particular that if I replace step 2 with, as root
apt purge papers
I get the expected result; in this case the preview dialog is provided
by evince-previewer.
Actual result
=============
A progress bar briefly appears, but then disappears, leaving only the
normal evince window visible. In the "journalctl -f" output, I see
this AppArmor denial (uid 0 or adm membership required):
>Jul 24 12:27:49 espresso kernel: audit: type=1400 audit(1753356469.641:148):
>apparmor="DENIED" operation="exec" class="file" profile="/usr/bin/evince"
>name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk"
>requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Workarounds
===========
Either:
* as root: apt purge papers
or:
* as root: apt install apparmor-utils
* as root: aa-complain /usr/bin/evince
Diagnosis
=========
As demonstrated by the workarounds, I believe this is a problem with the
combination of two components:
* the /usr/bin/evince (/etc/apparmor.d/usr.bin.evince) AppArmor profile
originally added by Ubuntu in or before 2016, applied in an effort to
harden evince against crafted documents (PDF, DjVu, etc.) that might
have been provided by an attacker to achieve arbitrary code execution
via security vulnerabilities in document format parsing libraries;
* and the GTK 3 patch
debian/patches/printing-Default-to-papers-previewer-and-fallback-to-evin.patch
recently contributed by an Ubuntu developer to make GTK 3 default to
using papers-previewer in preference to evince-previewer if it is
installed
I believe the problem is that evince's AppArmor profile explicitly
allows running evince-previewer, but does not allow running
papers-previewer.
Any other GTK 3 application with a non-trivial AppArmor profile and the
ability to do a print-preview would presumably have the same issue.
evince is merely the most prominent example of a GTK 3 application with
non-trivial AppArmor confinement.
-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.35+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.40.0-5
ii evince-common 48.1-2
ii gsettings-desktop-schemas 48.0-1
ii libatk1.0-0t64 2.56.2-1
ii libc6 2.41-10
ii libcairo-gobject2 1.18.4-1+b1
ii libcairo2 1.18.4-1+b1
ii libevdocument3-4t64 48.1-2
ii libevview3-3t64 48.1-2
ii libgdk-pixbuf-2.0-0 2.42.12+dfsg-3
ii libglib2.0-0t64 2.84.3-1
ii libgnome-desktop-3-20t64 44.3-3
ii libgtk-3-0t64 3.24.49-3
ii libhandy-1-0 1.8.3-2
ii libpango-1.0-0 1.56.3-1
ii libpangocairo-1.0-0 1.56.3-1
ii libsecret-1-0 0.21.7-1
ii shared-mime-info 2.4-5+b2
Versions of packages evince recommends:
ii dbus-user-session [default-dbus-session-bus] 1.16.2-2
Versions of packages evince suggests:
ii gvfs 1.57.2-2
pn nautilus-sendto <none>
ii poppler-data 0.4.12-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: evince
Source-Version: 48.1-3
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated evince package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Jul 2025 17:53:19 +0100
Source: evince
Architecture: source
Version: 48.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1109826
Changes:
evince (48.1-3) unstable; urgency=medium
.
* Team upload
* d/apparmor-profile: Allow running either Papers or Evince for
print preview.
Upstream GTK 3 uses evince-previewer for print preview functionality,
but if the papers package is installed (by default it is not),
Debian's GTK 3 prefers to use that. papers-previewer already has a
restrictive AppArmor profile based on the one for evince-previewer,
so allow running either one. Otherwise, print preview will not work
if papers happens to be installed. (Closes: #1109826)
Checksums-Sha1:
95af0120555c9ef5ef4f9d5313d8d3750ce01ae8 3404 evince_48.1-3.dsc
97fca4f8574e145b04cd5ab987fdcf2d0cf09418 42296 evince_48.1-3.debian.tar.xz
fad7b7dedb9b4d22e4069047b1842b0ce5ff5216 21647 evince_48.1-3_source.buildinfo
Checksums-Sha256:
29df615f697c218847492377aa5afd39879457ec720b78c90ec9239e6d795a0c 3404
evince_48.1-3.dsc
2c8e985e214e99ff933537656706bf787c142808c6c248d0934c73b8471a6032 42296
evince_48.1-3.debian.tar.xz
1adb5087ef6a6a8519d5c73d87016b88718f8a0181d59e6a395d43b9406d1a0e 21647
evince_48.1-3_source.buildinfo
Files:
a2cfab9ccc265da3aa1b5090928bfc4b 3404 gnome optional evince_48.1-3.dsc
1a79cf93c4e591ad509a42d78f5d1ff8 42296 gnome optional
evince_48.1-3.debian.tar.xz
9756f8c1523c609e1b2c8ea7a2a3a0cc 21647 gnome optional
evince_48.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmiD2toACgkQI1wJnT6z
MHbxyg/+KmRvz7oDNkFLc4r2BNyh02d5k8VoCHXaRKCo1skLfZmIR8eKp3M/r8NB
CU8Zqyv4XXeregFX4FEHuQZXYKLsS/aDvFUQwdk9/VdakIE4AOERSSl+11aHmYSe
ZGUVEnWbzek1VCvVm8iY3ejgblbKTA3XwL0CtA+WUhWH/Nh7AHp3Hb2JnTPUCjEd
FPgn+hWP/cJ/fbaKY2CFUToov+AdCILRao/Btq+2Px8Fm1QvTNMt+CsCkjM8Cyeu
vGJLdP3O62krOCXksxjN25NDS9IlS/oEFZn4Q/KUiUMU4h9WdHJ8NaCYV/ZZyBhD
DQbG2TMNaQXm5e4yPI0a9HinVFXqiE+NU8tyneYgzvXhhWC7TL2kVg93KeA9kgFP
1761jeJcdu40WrJvwgGOeodADxgGwidQB05SGv1HYcuttExFo1zV3x1TorGCMZCz
cdv04lilTwb0uLQBXjnSVtaaXTJ9ZbKPv21QLPP2PCVJt3IsveFWnuPeMKBWyZYc
GWVRg2fUvfngpexwMwsCp8gIhRTKH5nIMDKx0Jp9QayYFjuu8iOgEsESGP2QJsJk
lxgVpRI04s6eFso+IMnrzlHBf8/Tg45ePy7uLSQfBn7HVQVhdkarMPcaujOElWsZ
h/18JukTiOnE13OC4XwEn8Bxr/BprS9cOwgPpz94MQPiOqyl+0I=
=LQZM
-----END PGP SIGNATURE-----
pgp4cgLlJj5X6.pgp
Description: PGP signature
--- End Message ---
