diff -Nru atril-1.12.2/debian/changelog atril-1.12.2/debian/changelog
--- atril-1.12.2/debian/changelog	2018-03-19 04:41:35.000000000 +0000
+++ atril-1.12.2/debian/changelog	2018-03-26 23:29:46.000000000 +0000
@@ -1,3 +1,12 @@
+atril (1.12.2-1ubuntu0.3) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Arbitrary command injection via DVI filename injection
+    when printing to PDF (LP: #1759069).
+    - fix-CVE-2017-1000159.patch
+    - CVE-2017-1000159
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Mon, 26 Mar 2018 18:29:46 -0500
+
 atril (1.12.2-1ubuntu0.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Command injection with cbt files (LP: #1735418).
diff -Nru atril-1.12.2/debian/patches/fix-CVE-2017-1000159.patch atril-1.12.2/debian/patches/fix-CVE-2017-1000159.patch
--- atril-1.12.2/debian/patches/fix-CVE-2017-1000159.patch	1970-01-01 00:00:00.000000000 +0000
+++ atril-1.12.2/debian/patches/fix-CVE-2017-1000159.patch	2018-03-26 23:29:46.000000000 +0000
@@ -0,0 +1,32 @@
+Description: dvi: Mitigate command injection attacks by quoting filename
+ The DVI backend exports to PDF via the dvipdfm tool.
+ It calls that tool with the filename of the currently loaded document.
+ If that filename is cleverly crafted, it can escape the currently
+ used manual quoting of the filename.  Instead of manually quoting the
+ filename, we use g_shell_quote.
+ .
+ This fixes CVE-2017-1000159.
+Author: Tobias Mueller <muelli@cryptobitch.de>
+Origin: upstream
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=784947
+Bug-Ubuntu: https://launchpad.net/bugs/1759069
+Applied-Upstream: commit:20c06fd
+Last-Update: 2018-03-26
+--- a/backend/dvi/dvi-document.c
++++ b/backend/dvi/dvi-document.c
+@@ -383,11 +383,13 @@ dvi_document_file_exporter_end (EvFileEx
+ 	gboolean success;
+ 	
+ 	DviDocument *dvi_document = DVI_DOCUMENT(exporter);
++    gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
+ 	
+-	command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
++	command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+ 					dvi_document->exporter_opts->str,
+ 					dvi_document->exporter_filename,
+-					dvi_document->context->filename);
++                    quoted_filename);
++    g_free (quoted_filename);
+ 	
+ 	success = g_spawn_command_line_sync (command_line,
+ 					     NULL,
diff -Nru atril-1.12.2/debian/patches/series atril-1.12.2/debian/patches/series
--- atril-1.12.2/debian/patches/series	2018-03-19 04:41:35.000000000 +0000
+++ atril-1.12.2/debian/patches/series	2018-03-26 23:17:03.000000000 +0000
@@ -1,2 +1,3 @@
 fix-thumbnailer-crash.patch
 fix-CVE-2017-1000083.patch
+fix-CVE-2017-1000159.patch