Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

okular: CVE-2020-9359: Local binary execution via action links

Related Vulnerabilities: CVE-2020-9359  

Source

Debian Bug report logs - #954891
okular: CVE-2020-9359: Local binary execution via action links

version graph

Package: src:okular; Maintainer for src:okular is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 24 Mar 2020 21:21:02 UTC

Severity: important

Tags: security, upstream

Found in versions okular/4:19.12.3-1, okular/4:16.08.2-1, okular/4:16.08.2-1+deb9u1, okular/4:17.12.2-2.2

Fixed in version okular/4:19.12.3-2

Done: Pino Toscano <pino@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#954891; Package src:okular. (Tue, 24 Mar 2020 21:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 24 Mar 2020 21:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: okular: CVE-2020-9359: Local binary execution via action links
Date: Tue, 24 Mar 2020 22:17:55 +0100
Source: okular
Version: 4:19.12.3-1
Severity: important
Tags: security upstream
Control: found -1 4:17.12.2-2.2
Control: found -1 4:16.08.2-1+deb9u1
Control: found -1 4:16.08.2-1

Hi,

The following vulnerability was published for okular.

CVE-2020-9359[0]:
| KDE Okular before 1.10.0 allows code execution via an action link in a
| PDF document.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-9359
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9359
[1] https://kde.org/info/security/advisory-20200312-1.txt
[2] https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244

Regards,
Salvatore

Marked as found in versions okular/4:17.12.2-2.2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 24 Mar 2020 21:21:04 GMT) (full text, mbox, link).

Marked as found in versions okular/4:16.08.2-1+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 24 Mar 2020 21:21:04 GMT) (full text, mbox, link).

Marked as found in versions okular/4:16.08.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 24 Mar 2020 21:21:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Wed, 25 Mar 2020 06:09:03 GMT) (full text, mbox, link).

Reply sent to Pino Toscano <pino@debian.org>:
You have taken responsibility. (Wed, 25 Mar 2020 06:21:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 25 Mar 2020 06:21:12 GMT) (full text, mbox, link).

Message #18 received at 954891-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 954891-close@bugs.debian.org
Subject: Bug#954891: fixed in okular 4:19.12.3-2
Date: Wed, 25 Mar 2020 06:20:01 +0000
Source: okular
Source-Version: 4:19.12.3-2
Done: Pino Toscano <pino@debian.org>

We believe that the bug you reported is fixed in the latest version of
okular, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 954891@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated okular package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 Mar 2020 07:06:56 +0100
Source: okular
Architecture: source
Version: 4:19.12.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Pino Toscano <pino@debian.org>
Closes: 954891
Changes:
 okular (4:19.12.3-2) unstable; urgency=medium
 .
   * Team upload.
   * Backport upstream commit 6a93a033b4f9248b3cd4d04689b8391df754e244 to not
     execute local binaries via action links (CVE-2020-9359); patch
     upstream_Document-processAction-If-the-url-points-to-a-binary.patch.
     (Closes: #954891)
Checksums-Sha1:
 11b138631ffc66354361dc3d88d4d08d201b60f2 3624 okular_19.12.3-2.dsc
 bfea787920e060d56f156d4f2f2c01bc008e17ce 20332 okular_19.12.3-2.debian.tar.xz
 85e61d4ffa5700ca9dddf8a1fbf24952e55e9c6f 21461 okular_19.12.3-2_source.buildinfo
Checksums-Sha256:
 12e0230cb367f2a3c4c0500bc89d85230008bc504dabd35c3089e9e63bf7f6b3 3624 okular_19.12.3-2.dsc
 0b0c3a6defede9fe26ee40a7a4b5a0a05abd4c862733587616bf4d620a285f00 20332 okular_19.12.3-2.debian.tar.xz
 f59df9b67cb321dd917d19267c82d7511a3b47f42a2443b94fa731a14a5669cc 21461 okular_19.12.3-2_source.buildinfo
Files:
 df047995bf52ce3bce9296d52a2c76f2 3624 kde optional okular_19.12.3-2.dsc
 68a3a4a7ec0b4180286134107081d58e 20332 kde optional okular_19.12.3-2.debian.tar.xz
 b4c71a696ad11b6c83efa331bb826e0d 21461 kde optional okular_19.12.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAl569SwACgkQLRkciEOx
P018rRAAkVPUnpmv8e9m8GwZGemTGOnQv3jIUZUvcjRD9RMvMYqQI9s6kkj7oHBU
gaBsQYS16bud8GczzqcqoKDvf/5FvcwClE6XrPNOAJmKN/TaBSnLTrfmeKeVPpAU
sHRpoflT76iJnu1NoAnMO8wyMIy+DrpWJQ9xH0HXpwOfOJcNjAClIxLy1fD1Uw2z
rVWkeXWOfm7vCukgdh986bO4F4bw4UwGC7szZZCuV1oJE7AxJa+HFKXAjCR2xTqs
9vEPcMN8f8KINICjWFAgEzJjKExl8x85gPRw+zybymVnKu4LuUeD/bvEniaiEbUg
IaRdDM92TqaAyyvwDMLsQfecBwAHrnAkg7lDaPUjs2tC3qfoQeJ6iaFvovmJuxEZ
1nB05QG0ZARS4QkZqMeB1to5JACjaMfkwp/NmF8IBS129DcZ6w/qHkvNeYqoVGxI
18leWkp4AP7fstCjpXW/WMGFfDD42zZZIJ2ImRLbo33+chKbYtHMixmVFaElqRuH
Y27eSHEfFRNHyVVQB/02TBevSOSicaGBLuLWVtprAIEyyRGUm+f/C4Ez0VGXEqsa
e9PaQVv6jLLWdAmhzE27IgLCZM38btUVg5czwf/66Mx9f2arzEJ3uJVN2Y/Dqn3T
LvJtwxq/30MvhxM/lr727ryVuOaoCDwreKMRsfjMMJZqXrXh8Pw=
=YzF9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Mar 25 08:34:23 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started