Okular can be tricked into executing local binaries via specially crafted PDF files.
Created okular tracking bugs for this issue:
Affects: epel-8 [bug 1815653]
Affects: fedora-all [bug 1815652]
There's an issue on Okular. When processing actions taken by the user when reading a PDF file, Okular has the capability of open other link files. This is done using KRun() object from KDE API. The KRun() class, checks the mimetype and properly executed the requested action using the proper application and exits afterwards. It has the capability to open .desktop files and execute binaries by default. This creates a vulnerability on Okular due to the lack of restriction in types that can be executed, as the caller may explicitly set a KRun() class property to avoid it executing binaries. An attacker can leverage this weakness by creating a craft PDF file which has a URL pointing to a binary or a script which will be executed without the user notice it. User interaction is required as the user needs to be tricked to open the crafted PDF file and the impact will be restricted only to the Okular's running UID. As there's no way to call binaries that uses parameters and Okular runs as non-privileged users major impact is only possible whether the system is already compromised by another independent vulnerability. This causes confidentiality, integrity and availability impact to be considered Low.
There's no available mitigation other than don't open PDF files from untrusted sources.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:4024 https://access.redhat.com/errata/RHSA-2020:4024
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):