Bug 23562 - okular new security issue CVE-2018-1000801
Summary: okular new security issue CVE-2018-1000801
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-11 23:29 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
7 users (show)

See Also:
Source RPM: okular-18.04.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-11 23:29:53 CEST
Fedora has issued an advisory today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYAUHZUZOJFM57K33S2TT4PJT33WY7W3/

The issue is fixed upstream in 18.08.1.

Mageia 6 is also affected.
David Walser 2018-09-11 23:29:59 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-09-12 17:57:23 CEST
Fixed for Cauldron and also mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-09-12 21:09:25 CEST
Advisory:
========================

Updated okular packages fix security vulnerability:

okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in
Arbitrary file creation on the user workstation. This attack appear to be
exploitable via he victim must open a specially crafted Okular archive
(CVE-2018-1000801).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000801
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYAUHZUZOJFM57K33S2TT4PJT33WY7W3/
========================

Updated packages in core/updates_testing:
========================
okular-17.12.2-1.1.mga6
okular-handbook-17.12.2-1.1.mga6
libokularcore8-17.12.2-1.1.mga6
okular-devel-17.12.2-1.1.mga6

from okular-17.12.2-1.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: kde => qa-bugs
CC: (none) => kde
Version: Cauldron => 6

Comment 3 Len Lawrence 2018-09-13 23:31:45 CEST
Mageia 6, x86_64

CVE-2018-1000801
Checked the PoC at https://bugs.kde.org/show_bug.cgi?id=398096.
Have to admit I do not understand this.
The data itself is pocFileCreation.okular which is not accessible to okular directly - not a supported file. 
Downloaded the demonstration data which is a zip file.
Unzipped that and ran
$ okular test.test/root/payloadXXXXXX.pdf
org.kde.kwindowsystem: Could not find any platform plugin

okular opened, displaying a helloworld page.

Updated packages and installed okular-devel.

$ unzip pocFileCreation.okular
Archive:  pocFileCreation.okular
  inflating: content.xml             
  inflating: metadata.xml            
warning:  skipped "../" path component(s) in test.test/../../root/payloadXXXXXX.pdf
  inflating: test.test/root/payloadXXXXXX.pdf  

Again, okular opened the PDF at a helloworld page.  What does this prove?
I could not find any way to open the archive inside okular.  The function name "unpackDocumentArchive(...)" implies that it is possible.
There are no command-line switches that refer to unpacking archives.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-09-13 23:38:01 CEST
However, there is this - only just noticed:

Before update:
$ okular pocFileCreation.okular
org.kde.kwindowsystem: Could not find any platform plugin
org.kde.okular.core: No plugin for mimetype '"application/zip"'.
No file found for ".xml" , even though update-mime-info said it would exist.
Either it was just removed, or the directory doesn't have executable permission... ("/home/lcl/.local/share/mime", "/usr/share/mime")
No file found for ".xml" , even though update-mime-info said it would exist.
Either it was just removed, or the directory doesn't have executable permission... ("/home/lcl/.local/share/mime", "/usr/share/mime")

After update:
$ okular
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Warning: Found a directory inside "/home/lcl/qa/okular/pocFileCreation.okular"  - Okular does not create files like that so it is most probably forged.
Comment 5 PC LX 2018-09-14 11:26:00 CEST
Installed and tested without issue.

System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

Tested using the PoC and a bunch of other supported files (e.g. PDF, djvu, cbz. cbr, odt, png, jpeg, dvi).

$ uname -a
Linux marte 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep okular | sort
lib64okularcore7-16.12.3-2.mga6
lib64okularcore8-17.12.2-1.1.mga6
okular-17.12.2-1.1.mga6
$ okular pocFileCreation.okular 
Warning: Found a directory inside "/tmp/pclx/pocFileCreation.okular"  - Okular does not create files like that so it is most probably forged.
$ unzip ./pocFileCreation.okular 
Archive:  ./pocFileCreation.okular
  inflating: content.xml             
  inflating: metadata.xml            
warning:  skipped "../" path component(s) in test.test/../../root/payloadXXXXXX.pdf
  inflating: test.test/root/payloadXXXXXX.pdf
$ okular test.test/root/payloadXXXXXX.pdf

CC: (none) => mageia

Len Lawrence 2018-09-14 18:05:48 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 6 Thomas Andrews 2018-09-19 03:15:23 CEST
I think 64-bit is enough on this one. Validating...

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 16:41:26 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2018-09-21 18:27:54 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0389.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.