Bug 1626265 (CVE-2018-1000801)
Summary: | CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jgrulich, jreznik, rdieter, rschiron, than |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | okular 18.08.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A path traversal vulnerability has been discovered in Okular, in the way it creates temporary files when reading an Okular archive. Paths are read from content.xml and they are not properly sanitized before being used as template file names for the temporary files created when extracting the Okular archive, thus allowing a local attacker to write files outside the target temporary directory.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 22:33:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1626266, 1634726 | ||
Bug Blocks: | 1626267 |
Description
Pedro Sampaio
2018-09-06 21:42:07 UTC
Created okular tracking bugs for this issue: Affects: fedora-all [bug 1626266] In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to. Mitigation: Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../". This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1000801 |