Bug 1167435 (CVE-2020-9359)

Summary: VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specially crafted PDF files
Product: [openSUSE] openSUSE Distribution Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: SecurityAssignee: E-Mail List <opensuse-kde-bugs>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: alarrosa, opensuse-kde-bugs
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/255513/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-9359:5.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: poc.pdf

Comment 1 Wolfgang Frisch 2020-03-23 17:01:21 UTC
Created attachment 833669 [details]

This reproducer PDF executes /usr/bin/kcalc when the user clicks anywhere on the page.
Comment 2 Wolfgang Frisch 2020-03-24 10:37:40 UTC
SUSE:SLE-11-SP1:Update  kdegraphics4    Affected
openSUSE:Factory        okular          Affected
openSUSE:Leap:15.1      okular          Affected
openSUSE:Leap:15.2      okular          Affected
Comment 3 Wolfgang Frisch 2020-03-24 10:39:25 UTC
FYI, it is not possible to pass parameters to the executed local binary.
Comment 4 Christophe Marin 2022-05-09 12:03:19 UTC
Fixed long ago