Bug 1167435 - (CVE-2020-9359) VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specially crafted PDF files
(CVE-2020-9359)
VUL-1: CVE-2020-9359: okular, kdegraphics4: local binary execution via specia...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: E-Mail List
Security Team bot
https://smash.suse.de/issue/255513/
CVSSv3.1:SUSE:CVE-2020-9359:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-23 12:28 UTC by Wolfgang Frisch
Modified: 2022-05-09 12:03 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc.pdf (11.96 KB, application/octet-stream)
2020-03-23 17:01 UTC, Wolfgang Frisch
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2020-03-23 17:01:21 UTC
Created attachment 833669 [details]
poc.pdf

This reproducer PDF executes /usr/bin/kcalc when the user clicks anywhere on the page.
Comment 2 Wolfgang Frisch 2020-03-24 10:37:40 UTC
SUSE:SLE-11-SP1:Update  kdegraphics4    Affected
openSUSE:Factory        okular          Affected
openSUSE:Leap:15.1      okular          Affected
openSUSE:Leap:15.2      okular          Affected
Comment 3 Wolfgang Frisch 2020-03-24 10:39:25 UTC
FYI, it is not possible to pass parameters to the executed local binary.
Comment 4 Christophe Giboudeaux 2022-05-09 12:03:19 UTC
Fixed long ago