security update for okular in Stretch

To: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Cc: Debian Security Team <team@security.debian.org>
Subject: security update for okular in Stretch
From: Thorsten Alteholz <debian@alteholz.de>
Date: Thu, 20 Sep 2018 22:58:23 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1809202255440.32571@jupiter.server.alteholz.net>

Hi everybody,

in case you are interested, this is the debdiff to fix CVE-2018-1000801of okular in Stretch.


  Thorsten

diff -Nru okular-16.08.2/debian/changelog okular-16.08.2/debian/changelog
--- okular-16.08.2/debian/changelog	2016-10-19 12:34:55.000000000 +0200
+++ okular-16.08.2/debian/changelog	2018-09-20 21:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+okular (4:16.08.2-1+deb9u1) stretch-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2018-1000801
+    Fix for a directory traversal vulnerability that can result in
+    arbitrary file creation on the user workstation.
+ 
+ -- Thorsten Alteholz <debian@alteholz.de>  Thu, 20 Sep 2018 21:03:02 +0200
+
 okular (4:16.08.2-1) unstable; urgency=medium
 
   [ Automatic packaging ]
diff -Nru okular-16.08.2/debian/patches/CVE-2018-1000801.patch okular-16.08.2/debian/patches/CVE-2018-1000801.patch
--- okular-16.08.2/debian/patches/CVE-2018-1000801.patch	1970-01-01 01:00:00.000000000 +0100
+++ okular-16.08.2/debian/patches/CVE-2018-1000801.patch	2018-09-20 21:03:02.000000000 +0200
@@ -0,0 +1,45 @@
+From 8ff7abc14d41906ad978b6bc67e69693863b9d47 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 3 Sep 2018 21:14:30 +0200
+Subject: Fix path traversal issue when extracting an .okular file
+
+Summary:
+With specially crafted .okular files you can trick okular to create temporary files outside the temporary folder
+
+We fix that by making sure the file doesn't have folders since the ones we create don't
+
+BUGS: 398096
+
+Subscribers: okular-devel
+
+Tags: #okular
+
+Differential Revision: https://phabricator.kde.org/D15192
+---
+ core/document.cpp | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: okular-16.08.2/core/document.cpp
+===================================================================
+--- okular-16.08.2.orig/core/document.cpp	2018-09-19 12:35:09.690099888 +0200
++++ okular-16.08.2/core/document.cpp	2018-09-19 12:35:09.678099888 +0200
+@@ -4368,6 +4368,19 @@
+         return OpenError;
+ 
+     const KArchiveDirectory * mainDir = okularArchive.directory();
++
++    // Check the archive doesn't have folders, we don't create them when saving the archive
++    // and folders mean paths and paths mean path traversal issues
++    //original: for ( const QString &entry : mainDir->entries() )
++    Q_FOREACH ( const QString &entry, mainDir->entries() )
++    {
++        if ( mainDir->entry( entry )->isDirectory() )
++        {
++            qWarning() << "Warning: Found a directory inside" << docFile << " - Okular does not create files like that so it is most probably forged.";
++            return OpenError;
++        }
++    }
++
+     const KArchiveEntry * mainEntry = mainDir->entry( "content.xml" );
+     if ( !mainEntry || !mainEntry->isFile() )
+         return OpenError;
diff -Nru okular-16.08.2/debian/patches/series okular-16.08.2/debian/patches/series
--- okular-16.08.2/debian/patches/series	2016-10-19 12:34:55.000000000 +0200
+++ okular-16.08.2/debian/patches/series	2018-09-20 21:03:02.000000000 +0200
@@ -1 +1,2 @@
 temporarily_disable_failing_test
+CVE-2018-1000801.patch

Reply to:

Follow-Ups:
- Re: security update for okular in Stretch
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: [bts-link] source package src:kholidays
Next by Date: xdg-desktop-portal-gtk is installed when user specifies to install xdg-desktop-portal-kde with flatpak
Previous by thread: Processed: [bts-link] source package src:kholidays
Next by thread: Re: security update for okular in Stretch
Index(es):
- Date
- Thread