okular: CVE-2018-1000801

Debian Bug report logs - #908168
okular: CVE-2018-1000801

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: okular: CVE-2018-1000801

Date: Thu, 06 Sep 2018 23:16:48 +0200

Source: okular
Version: 4:17.12.2-2
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=398096

Hi,

The following vulnerability was published for okular.

CVE-2018-1000801[0]:
| okular version 18.08 and earlier contains a Directory Traversal
| vulnerability in function "unpackDocumentArchive(...)" in
| "core/document.cpp" that can result in Arbitrary file creation on the
| user workstation. This attack appear to be exploitable via he victim
| must open a specially crafted Okular archive. This issue appears to
| have been corrected in version 18.08.1

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000801
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000801
[1] https://bugs.kde.org/show_bug.cgi?id=398096
[2] https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 908168@bugs.debian.org (full text, mbox, reply):

From: Simon Quigley <tsimonq2@ubuntu.com>

To: 908168@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#908168: okular: CVE-2018-1000801

Date: Sun, 9 Sep 2018 14:00:20 -0500

[Message part 1 (text/plain, inline)]

Control: owner -1

I can take care of this on behalf of the Qt/KDE Team.

-- 
Simon Quigley
tsimonq2@ubuntu.com
tsimonq2 on freenode and OFTC
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 908168@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon Quigley <tsimonq2@ubuntu.com>, 908168@bugs.debian.org

Subject: Re: Bug#908168: okular: CVE-2018-1000801

Date: Sun, 2 Dec 2018 12:13:02 +0100

Control: user -1 debian-release@lists.debian.org
Control: usertags -1 + bsp-2018-12-ch-bern

Hi Simon,

On Sun, Sep 09, 2018 at 02:00:20PM -0500, Simon Quigley wrote:
> Control: owner -1
> 
> I can take care of this on behalf of the Qt/KDE Team.

Any news on this to be fixed for buster? (Currently there would be
a regression for it from stretch -> testing as the issue was fixed in
DSA-4303-1).

Regards,
Salvatore

Message #32 received at 908168@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 908168@bugs.debian.org

Cc: Simon Quigley <tsimonq2@ubuntu.com>

Subject: okular: diff for NMU version 4:17.12.2-2.1

Date: Sun, 2 Dec 2018 12:48:29 +0100

[Message part 1 (text/plain, inline)]

Control: tags 908168 + pending


Dear maintainer,

I've prepared an NMU for okular (versioned as 4:17.12.2-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Simon, this is only in case it would be appreciated to have the fix
via a NMU. In case you want me to drop it the above applies and I can
happely drop it again.

experimental would need the fix as well (or go to 18.08.1 directly
with the fix.

Regards,
Salvatore

[okular-17.12.2-2.1-nmu.diff (text/x-diff, attachment)]

Message #39 received at 908168-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 908168-close@bugs.debian.org

Subject: Bug#908168: fixed in okular 4:17.12.2-2.1

Date: Fri, 07 Dec 2018 12:20:35 +0000

Source: okular
Source-Version: 4:17.12.2-2.1

We believe that the bug you reported is fixed in the latest version of
okular, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated okular package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 02 Dec 2018 12:27:39 +0100
Source: okular
Binary: libokular5core8 okular okular-dev okular-extra-backends qml-module-org-kde-okular okular-mobile
Architecture: source
Version: 4:17.12.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 libokular5core8 - libraries for the Okular document viewer
 okular     - universal document viewer
 okular-dev - development files for the Okular libraries
 okular-extra-backends - additional document format support for Okular
 okular-mobile - mobile support for Okular
 qml-module-org-kde-okular - mobile support for Okular - QML modules
Closes: 908168
Changes:
 okular (4:17.12.2-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix path traversal issue when extracting an .okular file
     (CVE-2018-1000801) (Closes: #908168)
Checksums-Sha1:
 9d3fca3a5e03004535159525964bce78560ffdd4 3589 okular_17.12.2-2.1.dsc
 9a138d8352665f6c1b6795878f6b13a0dae5c07d 19932 okular_17.12.2-2.1.debian.tar.xz
 c776dd28f93badf8d79e03580b70fddf937d4358 6183 okular_17.12.2-2.1_source.buildinfo
Checksums-Sha256:
 4d9854bdccf01a0a8b2855fb8b4199e0712efea4b9d87cd0aa036d96508f3a07 3589 okular_17.12.2-2.1.dsc
 4d16a727bd72d769a650f397581ea94a84bc6bd022a9204851d2b87fa5b627df 19932 okular_17.12.2-2.1.debian.tar.xz
 172f4ca410d3dc3704771b83d01a6a77b6ec08a0f0367f48a129e48c808960e0 6183 okular_17.12.2-2.1_source.buildinfo
Files:
 a0bd85025bda79942125ade099e10844 3589 kde optional okular_17.12.2-2.1.dsc
 f4e5dfc92538c0efb303404ac1080f25 19932 kde optional okular_17.12.2-2.1.debian.tar.xz
 6bf67107b2f509af15c2162f9db03c6b 6183 kde optional okular_17.12.2-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwDxbBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDtoP/iSSjriT4y/Uw8MUK6qkAN1SerbwhxmI
9xWtNPEXu4bd55TCluNGl4W0uxe6mAmrRZfI7D24wahk+ImS6CzUbnJ6AM+5Qby9
1UCzn8TTYejcFzIduDpCmXIpD0KvqE+a22Z4ehs7L8THRJMDvR9gqpsq+DCbO1Ew
yZCcuWmF08MCBbasn6etLPzV7Xajs3gF0qQDKUtau++LlM8pNJNCPmR5DH2DL22k
437f8NaLMsi1eFVszklJCTm1RmpzQoGKr9URZtCP0R7kuwMtES21Ng55ADLnKovs
okH+Q+PMeRmwQJ4JDdBbWsUztrqddLfXbOZULxeaNyvjkE4nuVvsJrVpBhNamUMH
1j/vLrldmAVVq1CQcSIu4hBnpPUc/G92D1rQUsi0HnF7G2B0YnBAWyHg4lPUyOwG
1EaaxUIpnw4bfoIKxq3ajRn9EXYiXLXo5RsQy1rxv5P5WIbJ4pG0p6Jj6kP7m+OR
nlTpoF6aA7jJThuLnhMuTutRv5W1cOjPGQSegYb+tRFBwXcFBsIBDddp8KEvgJNY
giCaDDgPr3rNX5GQRfRaFd212csfDRI5f+Z0RiIIudmPoYoWChkc1RFKUWCKKWIL
iOqdklm1jKsgWc49aIIE2dp42EMG2DvyjCB4cA7ZZcNjKKGVSubMU1u7rBhHKPOX
hviIEAphDMVG
=J3Gs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.