[Bug 1167435] New: VUL-1: CVE-2020-9359: okular: local binary execution via specially crafted PDF files
http://bugzilla.opensuse.org/show_bug.cgi?id=1167435 Bug ID: 1167435 Summary: VUL-1: CVE-2020-9359: okular: local binary execution via specially crafted PDF files Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/255513/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: lbeltrame@kde.org Reporter: wolfgang.frisch@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2020-9359 Okular can be tricked into executing local binaries via specially crafted PDF files. References: https://kde.org/info/security/advisory-20200312-1.txt https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df... https://bugzilla.redhat.com/show_bug.cgi?id=1815651 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9359 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1167435 http://bugzilla.opensuse.org/show_bug.cgi?id=1167435#c1 --- Comment #1 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Created attachment 833669 --> http://bugzilla.opensuse.org/attachment.cgi?id=833669&action=edit poc.pdf This reproducer PDF executes /usr/bin/kcalc when the user clicks anywhere on the page. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1167435 http://bugzilla.opensuse.org/show_bug.cgi?id=1167435#c2 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alarrosa@suse.com Summary|VUL-1: CVE-2020-9359: |VUL-1: CVE-2020-9359: |okular: local binary |okular, kdegraphics4: local |execution via specially |binary execution via |crafted PDF files |specially crafted PDF files --- Comment #2 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- SUSE:SLE-11-SP1:Update kdegraphics4 Affected openSUSE:Factory okular Affected openSUSE:Leap:15.1 okular Affected openSUSE:Leap:15.2 okular Affected -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1167435 http://bugzilla.opensuse.org/show_bug.cgi?id=1167435#c3 --- Comment #3 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- FYI, it is not possible to pass parameters to the executed local binary. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1167435 http://bugzilla.opensuse.org/show_bug.cgi?id=1167435#c4 Christophe Giboudeaux <christophe@krop.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #4 from Christophe Giboudeaux <christophe@krop.fr> --- Fixed long ago -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com