Bug 26342 - okular new security issues CVE-2020-9359
Summary: okular new security issues CVE-2020-9359
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-14 16:49 CET by David Walser
Modified: 2020-03-18 16:28 CET (History)
4 users (show)

See Also:
Source RPM: okular-19.12.2-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-14 16:49:18 CET 
KDE has issued an advisory on March 12:
https://kde.org/info/security/advisory-20200312-1.txt

The issue is fixed upstream in 20.04.0.  The upstream patch that fixed the issue is linked in the message above.

Mageia 7 is also affected.
David Walser 2020-03-14 16:49:35 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-03-14 17:25:15 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-03-14 17:33:21 CET 
Advisory:
========================

Updated okular packages fix security vulnerability:

Okular can be tricked into executing local binaries via specially crafted PDF
files. This binary execution can require almost no user interaction. No
parameters can be passed to those local binaries (CVE-2020-9359).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9359
https://kde.org/info/security/advisory-20200312-1.txt
========================

Updated packages in core/updates_testing:
========================
okular-19.04.0-1.1.mga7
okular-handbook-19.04.0-1.1.mga7
libokularcore9-19.04.0-1.1.mga7
okular-devel-19.04.0-1.1.mga7

from okular-19.04.0-1.1.mga7.src.rpm

Status comment: Patch available from upstream => (none)
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: kde => qa-bugs

Comment 3 Thomas Andrews 2020-03-14 20:14:45 CET 
Core i5-2500, Integrated Intel graphics, 64-bit Plasma system.

Packages installed cleanly. Read several pdfs and printed one, also read a Postscript file. Everything worked as it should.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-03-14 20:17:11 CET 
Forgot to mention, checked the "forms" function on a couple of fill-in tax forms, as well.
Comment 5 Thomas Andrews 2020-03-14 20:47:26 CET 
Dell Dimension e520, Core 2 Quad 6600, Radeon HD 8490 graphics, 32-bit Plasma system.

Packages installed cleanly. Performed the same tests as in Comments 3 and 4, with the exception of printing, with the same results.

I'd say this is good to go. Validating. Advisory information in Comment 2.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Thomas Backlund 2020-03-18 15:58:44 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-18 16:28:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0145.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.