Bug 1815651 (CVE-2020-9359)

Summary: CVE-2020-9359 okular: local binary execution via specially crafted PDF files
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich, jreznik, kde-sig, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: okular 1.10.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:00:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1815652, 1815653, 1821451    
Bug Blocks: 1815654    

Description Guilherme de Almeida Suckevicz 2020-03-20 19:54:39 UTC 
Okular can be tricked into executing local binaries via specially crafted PDF files.

References:
https://kde.org/info/security/advisory-20200312-1.txt

Upstream commit:
https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244
Comment 1 Guilherme de Almeida Suckevicz 2020-03-20 19:55:06 UTC 
Created okular tracking bugs for this issue:

Affects: epel-8 [bug 1815653]
Affects: fedora-all [bug 1815652]
Comment 3 Marco Benatto 2020-04-06 20:46:39 UTC 
External References:

https://kde.org/info/security/advisory-20200312-1.txt
Comment 4 Marco Benatto 2020-04-07 14:20:21 UTC 
There's an issue on Okular. When processing actions taken by the user when reading a PDF file, Okular has the capability of open other link files. This is done using KRun() object from KDE API. The KRun() class, checks the mimetype and properly executed the requested action using the proper application and exits afterwards. It has the capability to open .desktop files and execute binaries by default. This creates a vulnerability on Okular due to the lack of restriction in types that can be executed, as the caller may explicitly set a KRun() class property to avoid it executing binaries. An attacker can leverage this weakness by creating a craft PDF file which has a URL pointing to a binary or a script which will be executed without the user notice it. User interaction is required as the user needs to be tricked to open the crafted PDF file and the impact will be restricted only to the Okular's running UID. As there's no way to call binaries that uses parameters and Okular runs as non-privileged users major impact is only possible whether the system is already compromised by another independent vulnerability. This causes confidentiality, integrity and availability impact to be considered Low.
Comment 6 Marco Benatto 2020-04-07 14:40:05 UTC 
Mitigation:

There's no available mitigation other than don't open PDF files from untrusted sources.
Comment 7 errata-xmlrpc 2020-09-29 20:39:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4024 https://access.redhat.com/errata/RHSA-2020:4024
Comment 8 Product Security DevOps Team 2020-09-29 22:00:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9359