[ GLSA 201811-08 ] Okular: Directory traversal


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–5n621gDA0rtbewZ7oeUk63z8PzzUh49y6

protected-headers=”v1″
From: Thomas Deutschmann
Reply-To: security@gentoo.org
To: gentoo-announce@lists.gentoo.org
Message-ID:
Subject: [ GLSA 201811-08 ] Okular: Directory traversal

–Br0JzQMhpvvsT8HNWEBEjhpGCAtks2d71

Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201811-08
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Okular: Directory traversal
Date: November 10, 2018
Bugs: #665662
ID: 201811-08

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis

Okular is vulnerable to a directory traversal attack.

Background

Okular is a universal document viewer based on KPDF for KDE 4.

Affected packages

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 kde-apps/okular 18.04.3-r1

Description

It was discovered that Okular contains a Directory Traversal
vulnerability in function unpackDocumentArchive() in core/document.cpp.

Impact

A remote attacker could entice a user to open a specially crafted
Okular archive, possibly allowing the writing of arbitrary files with
the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Okular users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>kde-apps/okular-18.04.3-r1″

References

[ 1 ] CVE-2018-1000801
https://nvd.nist.gov/vuln/detail/CVE-2018-1000801

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201811-08

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

–Br0JzQMhpvvsT8HNWEBEjhpGCAtks2d71–

–5n621gDA0rtbewZ7oeUk63z8PzzUh49y6

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQGTBAEBCgB9FiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAlvmJJRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDEz
MTI5MUNFOEY4QjBENzI2MDVDN0I5NDQ0RTZFQkRDOUJGNjA1NTkACgkQRObr3Jv2
BVmKbggApPJJnJgqBLu+mbWdLkINKIC5cQCuEgbslenc+KgolQVdwDmi7D2b9LJZ
7Kol2qQNkOgfLWcW7/sr22X7UkRcrKwWnfgxAp1QENGn7i/jA/I65iz8XKLg+eks
PTmDhGpjfIVfheMmOb2RVng5R4x7d4QgGUdXzpzHukt0O8HI8rcQan/bBC13l21k
ANFgn+wqj20VE/XgEQsGxDnT/eyQ5S2PmPH0KjJk4Lo7Pq0/5L6LwA/YlFsRmWtd
D1L36I9KjbNdvlg85r4oBQWbRswdobLUHbe8Ii/q61QHNY7CBR7GbNtSBTlA075s
MuoAc+qohLkW6w1Ud6+SlxNaqDztDg==
=amz7
—–END PGP SIGNATURE—–

–5n621gDA0rtbewZ7oeUk63z8PzzUh49y6–