Re: [blfs-dev] Okular CVE.

Thu, 29 Nov 2018 10:01:31 -0800 

On 11/29/2018 10:12 AM, Douglas R. Reno via blfs-dev wrote:


On 11/27/18 4:40 PM, Ken Moffat via blfs-dev wrote:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000801

   okular version 18.08 and earlier contains a Directory Traversal
   vulnerability in function "unpackDocumentArchive(...)" in
   "core/document.cpp" that can result in Arbitrary file creation on
   the user workstation. This attack appear to be exploitable via he
   victim must open a specially crafted Okular archive. This issue
   appears to have been corrected in version 18.08.1

I started to look at this a few days ago, but eventually persuaded
myself that we were using 18.08.1 which is fixed.  I'm obviously
getting flakier than I thought.

Now that I've built plasma (possibly - see support) I can see that I
had not downloaded the KF5 applications I build (most of what is in
the book, except kdenlive which I have no use for and where I loathe
its string of static-library dependencies, plus some others.

Should we just update okular to 18.08.1 ?  Or use 18.08.3 ?

ĸen




I'm for updating to 18.08.3. It's a pretty gnarly bug. My reasoning is 
below.



We've all seen how PDFs can be manipulated through the Ghostscript 
interpreter to gain filesystem access. A directory traversal 
vulnerability like this one can happen if an individual makes a PDF file 
that looks for resources elsewhere on the system to add things like 
images to a PDF (I have a transcript here that does this - it looks in 
C:\Users\<user>\Downloads\AD.JPG for an image). Note though that this 
makes it impossible to read on Linux.



This vulnerability can allow an attacker to create a file anywhere on 
the system that they like using this. If they bundle an exploit for, 
let's say, Ghostscript - and place it in the user's Documents folder 
($HOME/Documents), it'll get picked up by a thumbnailer in an 
unpatched-ghostscript environment and exploit the system.



I will update this when kde apps 18.12 is released.  Currently it is 
scheduled for Dec 13th and they've been pretty good at releasing on time.


  -- Bruce


--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page






















					Reply via email to