Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712490 (CVE-2020-9359) - <kde-apps/okular-19.12.3-r1: Local binary execution via action links (CVE-2020-9359)
Summary: <kde-apps/okular-19.12.3-r1: Local binary execution via action links (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2020-9359
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail.kde.org/pipermail/kde-an...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: kde-apps-19.12.3-stable
Blocks:
  Show dependency tree
 
Reported: 2020-03-14 14:03 UTC by Nils Freydank
Modified: 2020-07-27 01:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix from upstream (CVE-2020-9359-Fix_via_commit_6a93a033b4f9248b3cd4d04689b8391df754e244.patch,902 bytes, patch)
2020-03-14 14:05 UTC, Nils Freydank
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nils Freydank 2020-03-14 14:03:57 UTC
Hi,

via the mailing list kde-announce@kde.org there was an announcement that
okular has a vulnerability. The full announcement:

--- begin of quote ---
KDE Project Security Advisory
=============================

Title:          Okular: Local binary execution via action links
Risk Rating:    Low
CVE:            CVE-2020-9359
Versions:       Okular < 1.10.0 (tarball name okular-20.04.0.tar.xz)
Date:           12th March 2019


Overview
========
Okular can be tricked into executing local binaries via specially crafted
PDF files.

This binary execution can require almost no user interaction.

No parameters can be passed to those local binaries.

We have not been able to identify any binary that will cause actual damage,
be it in the hardware or software level, when run without parameters.

We remain relatively confident that for this issue to do any actual damage,
it has to run a binary specially crafted. That binary must have been deployed
to the user system via another method, be it the user downloading it directly
as an email attachment, webpage download, etc. or by the system being already
compromised.


Solution
========
- Update to Okular >= 1.10.0
- or apply the following patch:
https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244


Workaround
==========
There's no real workaround other than not opening PDF files from untrusted sources.


Credits
=======
Thanks to Mickael Karatekin from Sysdream Labs for the discovery and to
Albert Astals Cid for the fix.
--- end of quote ---

A patch exists[1] (I will append it here in a few seconds).
I tested the patch locally against okular-19.12.3 and it builds.
I didn't verify it that it actually fixes the underlying bug though
(i.e. it just reads plausible).

https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244


Reproducible: Always
Comment 1 Nils Freydank 2020-03-14 14:05:16 UTC
Created attachment 618920 [details, diff]
fix from upstream
Comment 2 Larry the Git Cow gentoo-dev 2020-03-14 17:59:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e4e6c9feea5ae0f22fc9c639f2bc25f68194fda

commit 6e4e6c9feea5ae0f22fc9c639f2bc25f68194fda
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-14 17:10:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-14 17:58:11 +0000

    kde-apps/okular: Drop vulnerable 19.12.3 (r0)
    
    Bug: https://bugs.gentoo.org/712490
    Package-Manager: Portage-2.3.93, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/okular/okular-19.12.3.ebuild | 112 ----------------------------------
 1 file changed, 112 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=232f0fbcc272198ac01d69d2ed5e43ccb2050a95

commit 232f0fbcc272198ac01d69d2ed5e43ccb2050a95
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-14 17:09:34 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-14 17:58:11 +0000

    kde-apps/okular: Fix CVE-2020-9359
    
    Reported-by: Nils Freydank <holgersson@posteo.de>
    Bug: https://bugs.gentoo.org/712490
    Package-Manager: Portage-2.3.93, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/okular-19.12.3-CVE-2020-9359.patch       |  27 +++++
 kde-apps/okular/okular-19.12.3-r1.ebuild           | 113 +++++++++++++++++++++
 2 files changed, 140 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2020-03-19 00:38:31 UTC
Cleanup done in commit 305945367df9ecff66fd0389c1312df733028863.
Comment 4 Andreas Sturmlechner gentoo-dev 2020-03-19 01:18:01 UTC
(In reply to Andreas Sturmlechner from comment #3)
> Cleanup done in commit 305945367df9ecff66fd0389c1312df733028863.
Correction; not done for arm64.
Comment 5 Andreas Sturmlechner gentoo-dev 2020-03-19 11:01:12 UTC
Cleanup done for real this time.
Comment 6 Andreas Sturmlechner gentoo-dev 2020-03-22 16:24:32 UTC
kde proj done here, anyway.
Comment 7 Sam James gentoo-dev Security 2020-04-02 08:59:39 UTC
Tree is clean.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:02:22 UTC
This issue was resolved and addressed in
 GLSA 202007-47 at https://security.gentoo.org/glsa/202007-47
by GLSA coordinator Sam James (sam_c).