Summary: | <kde-apps/okular-{18.04.3-r1,18.08.1}: path traversal issue when extracting crafted .okular file (CVE-2018-1000801) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Andreas Sturmlechner <asturm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Flags: | stable-bot:
sanity-check+
|
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://phabricator.kde.org/D15192 | ||
See Also: | https://bugs.kde.org/show_bug.cgi?id=398096 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
kde-apps/okular-18.04.3-r1
|
Runtime testing required: | --- |
Description
Andreas Sturmlechner
2018-09-10 20:37:49 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75a72fe24a730420ec692367e4e108d4a0a6d617 commit 75a72fe24a730420ec692367e4e108d4a0a6d617 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-09-10 20:33:04 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-09-10 20:38:03 +0000 kde-apps/okular: Fix path traversal issue when extracting .okular file With a specially crafted .okular files it was possible to trick okular to create temporary files outside the temporary folder. Bug: https://bugs.gentoo.org/665662 KDE-Bug: https://bugs.kde.org/show_bug.cgi?id=398096 See also: https://phabricator.kde.org/D15192 Package-Manager: Portage-2.3.49, Repoman-2.3.10 .../okular-18.04.3-path-traversal-issue.patch | 46 +++++++++ kde-apps/okular/okular-18.04.3-r1.ebuild | 106 +++++++++++++++++++++ 2 files changed, 152 insertions(+) x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b40ed9ef781f864d1d0db41eed739374ac29658 commit 4b40ed9ef781f864d1d0db41eed739374ac29658 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-09-13 16:54:37 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-09-13 16:57:10 +0000 kde-apps/okular: Security cleanup Bug: https://bugs.gentoo.org/665662 Package-Manager: Portage-2.3.49, Repoman-2.3.10 kde-apps/okular/okular-18.04.3.ebuild | 103 ---------------------------------- 1 file changed, 103 deletions(-) kde is done here, in case you didn't notice. ping sec... (In reply to Andreas Sturmlechner from comment #6) > ping sec... Pong min... glsa request was filed This issue was resolved and addressed in GLSA 201811-08 at https://security.gentoo.org/glsa/201811-08 by GLSA coordinator Thomas Deutschmann (whissi). |