okular version 18.08 and earlier contains a Directory Traversal vulnerability in function unpackDocumentArchive() in core/document.cpp that can result in arbitrary file creation on the user workstation. This attack appear to be exploitable when the victim opens a specially crafted Okular archive. This issue appears to have been corrected in version 18.08.1. Upstream bug: https://bugs.kde.org/show_bug.cgi?id=398096 Upstream patch: https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47
Created okular tracking bugs for this issue: Affects: fedora-all [bug 1626266]
In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.
Mitigation: Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1000801