Bug 1167435 - (CVE-2020-9359) VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specially crafted PDF files
VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specia...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: E-Mail List
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2020-03-23 12:28 UTC by Wolfgang Frisch
Modified: 2022-05-09 12:03 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

poc.pdf (11.96 KB, application/octet-stream)
2020-03-23 17:01 UTC, Wolfgang Frisch

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2020-03-23 17:01:21 UTC
Created attachment 833669 [details]

This reproducer PDF executes /usr/bin/kcalc when the user clicks anywhere on the page.
Comment 2 Wolfgang Frisch 2020-03-24 10:37:40 UTC
SUSE:SLE-11-SP1:Update  kdegraphics4    Affected
openSUSE:Factory        okular          Affected
openSUSE:Leap:15.1      okular          Affected
openSUSE:Leap:15.2      okular          Affected
Comment 3 Wolfgang Frisch 2020-03-24 10:39:25 UTC
FYI, it is not possible to pass parameters to the executed local binary.
Comment 4 Christophe Giboudeaux 2022-05-09 12:03:19 UTC
Fixed long ago