[pkg-apparmor] Bug#1109826: evince: print preview doesn't work if the papers package is installed: apparmor="DENIED" name="/usr/bin/papers-previewer"

Simon McVittie smcv at debian.org
Thu Jul 24 14:22:08 BST 2025 

Package: evince
Version: 48.1-2
Severity: normal
Control: affects -1 + papers apparmor gtk+3.0
X-Debbugs-Cc: Alessandro Astone <alessandro.astone at canonical.com>, ubuntu-desktop at lists.ubuntu.com, apparmor at packages.debian.org, gtk+3.0 at packages.debian.org

Steps to reproduce
==================

1. Install system, originally from
   debian-trixie-DI-rc2-amd64-netinst.iso, with task-gnome-desktop.
   Upgrade all packages to their latest versions from Debian trixie.

2. As root: apt install papers

3. In a terminal, as root or a member of adm: journalctl -f

4. In another terminal: evince /usr/share/doc/shared-mime-info/*.pdf
   (probably any PDF would do, but this one is convenient)

5. Open evince's main menu (3 horizontal lines / "hamburger menu")

6. Click on the printer icon

7. Observe GTK printing dialog, with buttons in its headerbar as
   follows:
   |[Cancel]    Print    [Preview] [Print]|

8. Click on [Preview]

Expected result
===============

A second window appears with a print preview, either provided by evince 
(/usr/share/applications/org.gnome.Evince-previewer.desktop, 
"evince-previewer" executable) or provided by papers 
(/usr/share/applications/org.gnome.Papers-previewer.desktop, 
"papers-previewer" executable) or any similar previewer. The evince 
window remains open.

Note in particular that if I replace step 2 with, as root

    apt purge papers

I get the expected result; in this case the preview dialog is provided 
by evince-previewer.

Actual result
=============

A progress bar briefly appears, but then disappears, leaving only the 
normal evince window visible. In the "journalctl -f" output, I see 
this AppArmor denial (uid 0 or adm membership required):

>Jul 24 12:27:49 espresso kernel: audit: type=1400 audit(1753356469.641:148): apparmor="DENIED" operation="exec" class="file" profile="/usr/bin/evince" name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Workarounds
===========

Either:

* as root: apt purge papers

or:

* as root: apt install apparmor-utils
* as root: aa-complain /usr/bin/evince

Diagnosis
=========

As demonstrated by the workarounds, I believe this is a problem with the 
combination of two components:

* the /usr/bin/evince (/etc/apparmor.d/usr.bin.evince) AppArmor profile
  originally added by Ubuntu in or before 2016, applied in an effort to
  harden evince against crafted documents (PDF, DjVu, etc.) that might
  have been provided by an attacker to achieve arbitrary code execution
  via security vulnerabilities in document format parsing libraries;

* and the GTK 3 patch
  debian/patches/printing-Default-to-papers-previewer-and-fallback-to-evin.patch
  recently contributed by an Ubuntu developer to make GTK 3 default to
  using papers-previewer in preference to evince-previewer if it is
  installed

I believe the problem is that evince's AppArmor profile explicitly 
allows running evince-previewer, but does not allow running 
papers-previewer.

Any other GTK 3 application with a non-trivial AppArmor profile and the 
ability to do a print-preview would presumably have the same issue. 
evince is merely the most prominent example of a GTK 3 application with 
non-trivial AppArmor confinement.

-- System Information:
Debian Release: 13.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.35+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-5
ii  evince-common                                48.1-2
ii  gsettings-desktop-schemas                    48.0-1
ii  libatk1.0-0t64                               2.56.2-1
ii  libc6                                        2.41-10
ii  libcairo-gobject2                            1.18.4-1+b1
ii  libcairo2                                    1.18.4-1+b1
ii  libevdocument3-4t64                          48.1-2
ii  libevview3-3t64                              48.1-2
ii  libgdk-pixbuf-2.0-0                          2.42.12+dfsg-3
ii  libglib2.0-0t64                              2.84.3-1
ii  libgnome-desktop-3-20t64                     44.3-3
ii  libgtk-3-0t64                                3.24.49-3
ii  libhandy-1-0                                 1.8.3-2
ii  libpango-1.0-0                               1.56.3-1
ii  libpangocairo-1.0-0                          1.56.3-1
ii  libsecret-1-0                                0.21.7-1
ii  shared-mime-info                             2.4-5+b2

Versions of packages evince recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.16.2-2

Versions of packages evince suggests:
ii  gvfs             1.57.2-2
pn  nautilus-sendto  <none>
ii  poppler-data     0.4.12-1

-- no debconf information

More information about the pkg-apparmor-team mailing list