Bug 1626265 (CVE-2018-1000801)

Summary: CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich, jreznik, rdieter, rschiron, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: okular 18.08.1 Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability has been discovered in Okular, in the way it creates temporary files when reading an Okular archive. Paths are read from content.xml and they are not properly sanitized before being used as template file names for the temporary files created when extracting the Okular archive, thus allowing a local attacker to write files outside the target temporary directory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:33:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1626266, 1634726    
Bug Blocks: 1626267    

Description Pedro Sampaio 2018-09-06 21:42:07 UTC 
okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function unpackDocumentArchive() in core/document.cpp that can result in
arbitrary file creation on the user workstation. This attack appear to be
exploitable when the victim opens a specially crafted Okular archive. This
issue appears to have been corrected in version 18.08.1.


Upstream bug:
https://bugs.kde.org/show_bug.cgi?id=398096

Upstream patch:
https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47
Comment 1 Pedro Sampaio 2018-09-06 21:42:37 UTC 
Created okular tracking bugs for this issue:

Affects: fedora-all [bug 1626266]
Comment 3 Riccardo Schirone 2018-10-01 12:46:27 UTC 
In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.
Comment 5 Riccardo Schirone 2018-10-01 12:59:21 UTC 
Mitigation:

Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".
Comment 6 errata-xmlrpc 2020-03-31 19:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173
Comment 7 Product Security DevOps Team 2020-03-31 22:33:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1000801