Bug 1626265 – CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1626265 - (CVE-2018-1000801) CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp

Summary:	CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchiv...

Status:	NEW

Aliases:	CVE-2018-1000801

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180906,repor...
Keywords:	Security

Depends On:	1634726 1626266
Blocks:	1626267
	Show dependency tree / graph

Reported:	2018-09-06 17:42 EDT by Pedro Sampaio
Modified:	2018-10-01 11:45 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	okular 18.08.1
Doc Type:	If docs needed, set a value
Doc Text:	A path traversal vulnerability has been discovered in Okular, in the way it creates temporary files when reading an Okular archive. Paths are read from content.xml and they are not properly sanitized before being used as template file names for the temporary files created when extracting the Okular archive, thus allowing a local attacker to write files outside the target temporary directory.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-06 17:42:07 EDT

okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function unpackDocumentArchive() in core/document.cpp that can result in
arbitrary file creation on the user workstation. This attack appear to be
exploitable when the victim opens a specially crafted Okular archive. This
issue appears to have been corrected in version 18.08.1.


Upstream bug:
https://bugs.kde.org/show_bug.cgi?id=398096

Upstream patch:
https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47

Comment 1 Pedro Sampaio 2018-09-06 17:42:37 EDT

Created okular tracking bugs for this issue:

Affects: fedora-all [bug 1626266]

Comment 3 Riccardo Schirone 2018-10-01 08:46:27 EDT

In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.

Comment 5 Riccardo Schirone 2018-10-01 08:59:21 EDT

Mitigation:

Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".

Note You need to log in before you can comment on or make changes to this bug.