Bug 1626265 (CVE-2018-1000801) - CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp
Summary: CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchiv...
Alias: CVE-2018-1000801
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1626266 1634726
Blocks: 1626267
TreeView+ depends on / blocked
Reported: 2018-09-06 21:42 UTC by Pedro Sampaio
Modified: 2021-02-16 23:05 UTC (History)
5 users (show)

Fixed In Version: okular 18.08.1
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability has been discovered in Okular, in the way it creates temporary files when reading an Okular archive. Paths are read from content.xml and they are not properly sanitized before being used as template file names for the temporary files created when extracting the Okular archive, thus allowing a local attacker to write files outside the target temporary directory.
Clone Of:
Last Closed: 2020-03-31 22:33:14 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1173 0 None None None 2020-03-31 19:30:29 UTC

Description Pedro Sampaio 2018-09-06 21:42:07 UTC
okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function unpackDocumentArchive() in core/document.cpp that can result in
arbitrary file creation on the user workstation. This attack appear to be
exploitable when the victim opens a specially crafted Okular archive. This
issue appears to have been corrected in version 18.08.1.

Upstream bug:

Upstream patch:

Comment 1 Pedro Sampaio 2018-09-06 21:42:37 UTC
Created okular tracking bugs for this issue:

Affects: fedora-all [bug 1626266]

Comment 3 Riccardo Schirone 2018-10-01 12:46:27 UTC
In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.

Comment 5 Riccardo Schirone 2018-10-01 12:59:21 UTC

Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".

Comment 6 errata-xmlrpc 2020-03-31 19:30:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173

Comment 7 Product Security DevOps Team 2020-03-31 22:33:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.