okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function unpackDocumentArchive() in core/document.cpp that can result in
arbitrary file creation on the user workstation. This attack appear to be
exploitable when the victim opens a specially crafted Okular archive. This
issue appears to have been corrected in version 18.08.1.
Created okular tracking bugs for this issue:
Affects: fedora-all [bug 1626266]
In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.
Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):