Bug 1167435 (CVE-2020-9359)

Summary:	VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specially crafted PDF files
Product:	[openSUSE] openSUSE Distribution	Reporter:	Wolfgang Frisch <wolfgang.frisch>
Component:	Security	Assignee:	E-Mail List <opensuse-kde-bugs>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	alarrosa, opensuse-kde-bugs
Version:	Leap 15.1
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/255513/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-9359:5.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) maint:planned:update
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	poc.pdf

Description Wolfgang Frisch 2020-03-23 12:28:16 UTC

CVE-2020-9359

Okular can be tricked into executing local binaries via specially crafted PDF files.

References:
https://kde.org/info/security/advisory-20200312-1.txt
https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244
https://bugzilla.redhat.com/show_bug.cgi?id=1815651
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9359

Comment 1 Wolfgang Frisch 2020-03-23 17:01:21 UTC

Created attachment 833669 [details]
poc.pdf

This reproducer PDF executes /usr/bin/kcalc when the user clicks anywhere on the page.

Comment 2 Wolfgang Frisch 2020-03-24 10:37:40 UTC

SUSE:SLE-11-SP1:Update  kdegraphics4    Affected
openSUSE:Factory        okular          Affected
openSUSE:Leap:15.1      okular          Affected
openSUSE:Leap:15.2      okular          Affected

Comment 3 Wolfgang Frisch 2020-03-24 10:39:25 UTC

FYI, it is not possible to pass parameters to the executed local binary.

Comment 4 Christophe Marin 2022-05-09 12:03:19 UTC

Fixed long ago