Bug#1120897: papers fails to open PDFs inside $HOME/.mutt/* when invoked via mutt/mailcap
Marcelo
marcelolaia at gmail.com
Tue Nov 18 00:50:02 GMT 2025
Package: papers
Version: 49.1-1
Severity: normal
Dear Maintainers,
I am experiencing a reproducible issue with papers on Debian.
The program works normally when opening PDF files from standard directories,
including hidden directories such as $HOME/.Exames. However, when a PDF is
located inside a nested hidden directory such as $HOME/.mutt/temp or
$HOME/.mutt/temp2, papers fails to open the file when launched via mutt through
mailcap.
This issue affects only papers. Other viewer (xpdf) open the same file
correctly under identical conditions.
There are no AppArmor denials related to the file path. AppArmor has been
placed in complain mode for papers, papers-previewer, and papers-thumbnailer,
without any change in behavior.
Steps to reproduce
Create a nested hidden directory:
mkdir -p ~/.mutt/temp2
Configure mutt’s mailcap entry:
application/pdf; papers '%s'; test=test -n "$DISPLAY"
Receive an email with a PDF attachment in mutt.
Open the attachment via mutt (v → choose attachment).
papers is invoked, but no window opens and mutt reports a generic
“Permission” error.
Test outside mutt:
Running papers ~/.mutt/temp2/file.pdf from a terminal also fails.
Moving the same file to $HOME/.Exames or any non-nested hidden directory:
mv file.pdf ~/.Exames/
papers ~/.Exames/file.pdf
→ This works correctly.
Alternative viewer (xpdf) open the same file from ~/.mutt/* without issues.
Expected behavior
papers should open PDF files located anywhere inside the user’s home
directory, including nested hidden directories such as ~/.mutt/temp used by
mutt for attachments.
Observed behavior
papers silently fails when opening files in nested hidden directories such
as ~/.mutt/temp*.
mutt shows a generic “Permission” error.
No AppArmor blocks occur (aa-complain has no effect).
xpdf and other viewers work normally.
If needed, I can run further diagnostics or provide logs/tests.
Thank you for your attention.
-- System Information:
Debian Release: forky/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.31-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages papers depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.49.0-2
ii gsettings-desktop-schemas 49.1-1
ii libadwaita-1-0 1.8.1-1
ii libc6 2.41-12
ii libgcc-s1 15.2.0-7
ii libgdk-pixbuf-2.0-0 2.44.4+dfsg-1
ii libglib2.0-0t64 2.86.1-2
ii libgraphene-1.0-0 1.10.8-5
ii libgtk-4-1 4.20.2+ds-2
ii libnautilus-extension4 49.1-2
ii libpango-1.0-0 1.56.3-2
ii libppsdocument-4.0-6 49.1-1
ii libppsview-4.0-5 49.1-1
ii papers-common 49.1-1
ii shared-mime-info 2.4-5+b3
papers recommends no packages.
Versions of packages papers suggests:
ii gvfs 1.58.0-1
pn nautilus-sendto <none>
ii poppler-data 0.4.12-1
pn unrar <none>
-- Configuration Files:
/etc/apparmor.d/usr.bin.papers changed:
include <tunables/global>
/usr/bin/papers flags=(complain) {
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus-accessibility>
include <abstractions/papers>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/ubuntu-browsers>
include <abstractions/ubuntu-console-browsers>
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
include <abstractions/ubuntu-media-players>
# allow papers to spawn browsers distributed as snaps (LP: #1794064)
include if exists <abstractions/snap_browsers>
# For now, let papers talk to any session services over dbus. We can
# blacklist any problematic ones (but note, papers uses libsecret :\)
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only papers is allowed to do
include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
##include <abstractions/ubuntu-konsole>
/usr/bin/papers rmPx,
/usr/bin/papers-previewer Px,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
/usr/bin/nautilus Cx -> sanitized_helper, # Gnome
/usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
/usr/bin/krusader Cx -> sanitized_helper, # KDE
/usr/bin/thunar Cx -> sanitized_helper, # XFCE
# Print Dialog
/usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
# For Xubuntu to launch the browser
include <abstractions/exo-open>
# For text attachments
/usr/bin/gedit ixr,
# For Send to
/usr/bin/nautilus-sendto Cx -> sanitized_helper,
# GLib desktop launch helper (used under the hood by g_app_info_launch)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
/usr/bin/env ixr,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
/ r,
/**/ r,
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).
owner @{HOME}/** rw,
owner /media/** rw,
owner @{HOME}/.local/share/gvfs-metadata/** l,
owner /{,var/}run/user/*/gvfs-metadata/** l,
owner @{HOME}/.gnome2/papers/* rwl,
owner @{HOME}/.gnome2/accels/ rw,
owner @{HOME}/.gnome2/accelspapers rw,
owner @{HOME}/.gnome2/accels/papers rw,
# Maybe add to an abstraction?
/etc/dconf/** r,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.config/enchant/* rk,
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
# Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
# https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
owner /{,var/}run/user/*/at-spi/bus* rw,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read and write for all supported file formats
/**.[aA][iI] rw,
/**.[bB][mM][pP] rw,
/**.[dD][jJ][vV][uU] rw,
/**.[dD][vV][iI] rw,
/**.[gG][iI][fF] rw,
/**.[jJ][pP][gG] rw,
/**.[jJ][pP][eE][gG] rw,
/**.[oO][dD][pP] rw,
/**.[fFpP][dD][fF] rw,
/**.[pP][nN][mM] rw,
/**.[pP][nN][gG] rw,
/**.[pP][sS] rw,
/**.[eE][pP][sS] rw,
/**.[tT][iI][fF] rw,
/**.[tT][iI][fF][fF] rw,
/**.[xX][pP][mM] rw,
/**.[gG][zZ] rw,
/**.[bB][zZ]2 rw,
/**.[cC][bB][rRzZ7] rw,
/**.[xX][zZ] rw,
# papers creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
# allow papers to spawn browsers distributed as snaps (LP: #1794064)
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
}
/usr/bin/papers-previewer flags=(complain) {
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus-accessibility>
include <abstractions/papers>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/ubuntu-browsers>
include <abstractions/ubuntu-console-browsers>
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
include <abstractions/ubuntu-media-players>
# For now, let papers talk to any session services over dbus. We can
# blacklist any problematic ones (but note, papers uses libsecret :\)
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only papers is allowed to do
include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
#include <abstractions/ubuntu-xterm>
/usr/bin/papers-previewer mr,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect). Write is needed for 'print to file' from the previewer.
@{HOME}/ r,
@{HOME}/** rw,
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
}
/usr/bin/papers-thumbnailer flags=(complain) {
include <abstractions/base>
include <abstractions/private-files-strict>
include <abstractions/fonts>
deny @{HOME}/.{,cache/}fontconfig/** wl,
deny @{HOME}/missfont.log wl,
include <abstractions/dbus-session-strict>
dbus (receive) bus=session,
dbus (send)
bus=session
path="/org/gtk/vfs/mounttracker"
interface="org.gtk.vfs.MountTracker"
member="ListMountableInfo"
peer=(label=unconfined),
# updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
deny dbus (send)
bus=session
path="/org/gtk/vfs/metadata"
interface="org.gtk.vfs.Metadata"
member="GetTreeFromDevice"
peer=(label=unconfined),
deny @{HOME}/.local/share/gvfs-metadata/* r,
dbus (send)
bus=session
path="/org/gtk/vfs/Daemon"
interface="org.gtk.vfs.Daemon"
member="List*"
peer=(label=unconfined),
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf.
/etc/passwd r,
/etc/group r,
deny /etc/nsswitch.conf r,
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
/etc/papersize r,
/usr/bin/papers-thumbnailer mr,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
/usr/bin/gs-esp ixr,
# Silence these denials since 'no new privs' drops transitions to
# sanitized_helper, we don't want all those perms in the thumbnailer
# and the thumbnailer generates thumbnails without these just fine.
deny /usr/bin/mktexpk x,
deny /usr/bin/mktextfm x,
deny /usr/bin/dvipdfm x,
deny /usr/bin/dvipdfmx x,
deny /usr/bin/mkofm x,
# supported archivers
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/{usr/,}bin/tar ixr,
/usr/bin/xz ixr,
# miscellaneous access for the above
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
/sys/devices/system/cpu/ r,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/** r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRtTzZ7] r,
/**.[xX][zZ] r,
owner @{HOME}/.texlive*/** r,
owner @{HOME}/.texmf*/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
# With the network rules above, this allows data exfiltration for files
# not covered by private-files-strict.
@{HOME}/ r,
owner @{HOME}/[^.]** r,
owner /media/** r,
owner /tmp/.gnome_desktop_thumbnail* w,
owner /tmp/gnome-desktop-* rw,
owner /tmp/evince-thumbnailer*/{,**} rw,
# these happen post pivot_root
/ r,
deny /missfont.log w,
# Site-specific additions and overrides. See local/README for details.
include <local/usr.bin.papers>
}
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list