[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#908168: marked as done (okular: CVE-2018-1000801)

Your message dated Fri, 07 Dec 2018 12:20:35 +0000
with message-id <E1gVF7T-000Ax8-FK@fasolo.debian.org>
and subject line Bug#908168: fixed in okular 4:17.12.2-2.1
has caused the Debian Bug report #908168,
regarding okular: CVE-2018-1000801
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
908168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: okular
Version: 4:17.12.2-2
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=398096

Hi,

The following vulnerability was published for okular.

CVE-2018-1000801[0]:
| okular version 18.08 and earlier contains a Directory Traversal
| vulnerability in function "unpackDocumentArchive(...)" in
| "core/document.cpp" that can result in Arbitrary file creation on the
| user workstation. This attack appear to be exploitable via he victim
| must open a specially crafted Okular archive. This issue appears to
| have been corrected in version 18.08.1

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000801
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000801
[1] https://bugs.kde.org/show_bug.cgi?id=398096
[2] https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: okular
Source-Version: 4:17.12.2-2.1

We believe that the bug you reported is fixed in the latest version of
okular, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated okular package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 02 Dec 2018 12:27:39 +0100
Source: okular
Binary: libokular5core8 okular okular-dev okular-extra-backends qml-module-org-kde-okular okular-mobile
Architecture: source
Version: 4:17.12.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 libokular5core8 - libraries for the Okular document viewer
 okular     - universal document viewer
 okular-dev - development files for the Okular libraries
 okular-extra-backends - additional document format support for Okular
 okular-mobile - mobile support for Okular
 qml-module-org-kde-okular - mobile support for Okular - QML modules
Closes: 908168
Changes:
 okular (4:17.12.2-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix path traversal issue when extracting an .okular file
     (CVE-2018-1000801) (Closes: #908168)
Checksums-Sha1:
 9d3fca3a5e03004535159525964bce78560ffdd4 3589 okular_17.12.2-2.1.dsc
 9a138d8352665f6c1b6795878f6b13a0dae5c07d 19932 okular_17.12.2-2.1.debian.tar.xz
 c776dd28f93badf8d79e03580b70fddf937d4358 6183 okular_17.12.2-2.1_source.buildinfo
Checksums-Sha256:
 4d9854bdccf01a0a8b2855fb8b4199e0712efea4b9d87cd0aa036d96508f3a07 3589 okular_17.12.2-2.1.dsc
 4d16a727bd72d769a650f397581ea94a84bc6bd022a9204851d2b87fa5b627df 19932 okular_17.12.2-2.1.debian.tar.xz
 172f4ca410d3dc3704771b83d01a6a77b6ec08a0f0367f48a129e48c808960e0 6183 okular_17.12.2-2.1_source.buildinfo
Files:
 a0bd85025bda79942125ade099e10844 3589 kde optional okular_17.12.2-2.1.dsc
 f4e5dfc92538c0efb303404ac1080f25 19932 kde optional okular_17.12.2-2.1.debian.tar.xz
 6bf67107b2f509af15c2162f9db03c6b 6183 kde optional okular_17.12.2-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwDxbBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDtoP/iSSjriT4y/Uw8MUK6qkAN1SerbwhxmI
9xWtNPEXu4bd55TCluNGl4W0uxe6mAmrRZfI7D24wahk+ImS6CzUbnJ6AM+5Qby9
1UCzn8TTYejcFzIduDpCmXIpD0KvqE+a22Z4ehs7L8THRJMDvR9gqpsq+DCbO1Ew
yZCcuWmF08MCBbasn6etLPzV7Xajs3gF0qQDKUtau++LlM8pNJNCPmR5DH2DL22k
437f8NaLMsi1eFVszklJCTm1RmpzQoGKr9URZtCP0R7kuwMtES21Ng55ADLnKovs
okH+Q+PMeRmwQJ4JDdBbWsUztrqddLfXbOZULxeaNyvjkE4nuVvsJrVpBhNamUMH
1j/vLrldmAVVq1CQcSIu4hBnpPUc/G92D1rQUsi0HnF7G2B0YnBAWyHg4lPUyOwG
1EaaxUIpnw4bfoIKxq3ajRn9EXYiXLXo5RsQy1rxv5P5WIbJ4pG0p6Jj6kP7m+OR
nlTpoF6aA7jJThuLnhMuTutRv5W1cOjPGQSegYb+tRFBwXcFBsIBDddp8KEvgJNY
giCaDDgPr3rNX5GQRfRaFd212csfDRI5f+Z0RiIIudmPoYoWChkc1RFKUWCKKWIL
iOqdklm1jKsgWc49aIIE2dp42EMG2DvyjCB4cA7ZZcNjKKGVSubMU1u7rBhHKPOX
hviIEAphDMVG
=J3Gs
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: