Bug 26342

Summary: okular new security issues CVE-2020-9359
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK MGA7-32-OK
Source RPM: okular-19.12.2-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-03-14 16:49:18 CET 
KDE has issued an advisory on March 12:
https://kde.org/info/security/advisory-20200312-1.txt

The issue is fixed upstream in 20.04.0.  The upstream patch that fixed the issue is linked in the message above.

Mageia 7 is also affected.
David Walser 2020-03-14 16:49:35 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-03-14 17:25:15 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-03-14 17:33:21 CET 
Advisory:
========================

Updated okular packages fix security vulnerability:

Okular can be tricked into executing local binaries via specially crafted PDF
files. This binary execution can require almost no user interaction. No
parameters can be passed to those local binaries (CVE-2020-9359).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9359
https://kde.org/info/security/advisory-20200312-1.txt
========================

Updated packages in core/updates_testing:
========================
okular-19.04.0-1.1.mga7
okular-handbook-19.04.0-1.1.mga7
libokularcore9-19.04.0-1.1.mga7
okular-devel-19.04.0-1.1.mga7

from okular-19.04.0-1.1.mga7.src.rpm

Status comment: Patch available from upstream => (none)
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: kde => qa-bugs

Comment 3 Thomas Andrews 2020-03-14 20:14:45 CET 
Core i5-2500, Integrated Intel graphics, 64-bit Plasma system.

Packages installed cleanly. Read several pdfs and printed one, also read a Postscript file. Everything worked as it should.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-03-14 20:17:11 CET 
Forgot to mention, checked the "forms" function on a couple of fill-in tax forms, as well.
Comment 5 Thomas Andrews 2020-03-14 20:47:26 CET 
Dell Dimension e520, Core 2 Quad 6600, Radeon HD 8490 graphics, 32-bit Plasma system.

Packages installed cleanly. Performed the same tests as in Comments 3 and 4, with the exception of printing, with the same results.

I'd say this is good to go. Validating. Advisory information in Comment 2.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Thomas Backlund 2020-03-18 15:58:44 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-18 16:28:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0145.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED