Fedora has issued an advisory today (September 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYAUHZUZOJFM57K33S2TT4PJT33WY7W3/ The issue is fixed upstream in 18.08.1. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fixed for Cauldron and also mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated okular packages fix security vulnerability: okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive (CVE-2018-1000801). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000801 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYAUHZUZOJFM57K33S2TT4PJT33WY7W3/ ======================== Updated packages in core/updates_testing: ======================== okular-17.12.2-1.1.mga6 okular-handbook-17.12.2-1.1.mga6 libokularcore8-17.12.2-1.1.mga6 okular-devel-17.12.2-1.1.mga6 from okular-17.12.2-1.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: kde => qa-bugsCC: (none) => kdeVersion: Cauldron => 6
Mageia 6, x86_64 CVE-2018-1000801 Checked the PoC at https://bugs.kde.org/show_bug.cgi?id=398096. Have to admit I do not understand this. The data itself is pocFileCreation.okular which is not accessible to okular directly - not a supported file. Downloaded the demonstration data which is a zip file. Unzipped that and ran $ okular test.test/root/payloadXXXXXX.pdf org.kde.kwindowsystem: Could not find any platform plugin okular opened, displaying a helloworld page. Updated packages and installed okular-devel. $ unzip pocFileCreation.okular Archive: pocFileCreation.okular inflating: content.xml inflating: metadata.xml warning: skipped "../" path component(s) in test.test/../../root/payloadXXXXXX.pdf inflating: test.test/root/payloadXXXXXX.pdf Again, okular opened the PDF at a helloworld page. What does this prove? I could not find any way to open the archive inside okular. The function name "unpackDocumentArchive(...)" implies that it is possible. There are no command-line switches that refer to unpacking archives.
CC: (none) => tarazed25
However, there is this - only just noticed: Before update: $ okular pocFileCreation.okular org.kde.kwindowsystem: Could not find any platform plugin org.kde.okular.core: No plugin for mimetype '"application/zip"'. No file found for ".xml" , even though update-mime-info said it would exist. Either it was just removed, or the directory doesn't have executable permission... ("/home/lcl/.local/share/mime", "/usr/share/mime") No file found for ".xml" , even though update-mime-info said it would exist. Either it was just removed, or the directory doesn't have executable permission... ("/home/lcl/.local/share/mime", "/usr/share/mime") After update: $ okular Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged. Warning: Found a directory inside "/home/lcl/qa/okular/pocFileCreation.okular" - Okular does not create files like that so it is most probably forged.
Installed and tested without issue. System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. Tested using the PoC and a bunch of other supported files (e.g. PDF, djvu, cbz. cbr, odt, png, jpeg, dvi). $ uname -a Linux marte 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep okular | sort lib64okularcore7-16.12.3-2.mga6 lib64okularcore8-17.12.2-1.1.mga6 okular-17.12.2-1.1.mga6 $ okular pocFileCreation.okular Warning: Found a directory inside "/tmp/pclx/pocFileCreation.okular" - Okular does not create files like that so it is most probably forged. $ unzip ./pocFileCreation.okular Archive: ./pocFileCreation.okular inflating: content.xml inflating: metadata.xml warning: skipped "../" path component(s) in test.test/../../root/payloadXXXXXX.pdf inflating: test.test/root/payloadXXXXXX.pdf $ okular test.test/root/payloadXXXXXX.pdf
CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK
I think 64-bit is enough on this one. Validating...
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0389.html
Status: NEW => RESOLVEDResolution: (none) => FIXED