Bug 1626265 (CVE-2018-1000801) - CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchive() in core/document.cpp
Summary: CVE-2018-1000801 okular: Directory traversal in function unpackDocumentArchiv...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000801
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1626266 1634726
Blocks: 1626267
TreeView+ depends on / blocked
 
Reported: 2018-09-06 21:42 UTC by Pedro Sampaio
Modified: 2021-02-16 23:05 UTC (History)
5 users (show)

Fixed In Version: okular 18.08.1
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability has been discovered in Okular, in the way it creates temporary files when reading an Okular archive. Paths are read from content.xml and they are not properly sanitized before being used as template file names for the temporary files created when extracting the Okular archive, thus allowing a local attacker to write files outside the target temporary directory.
Clone Of:
Environment:
Last Closed: 2020-03-31 22:33:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1173 0 None None None 2020-03-31 19:30:29 UTC

Description Pedro Sampaio 2018-09-06 21:42:07 UTC
okular version 18.08 and earlier contains a Directory Traversal vulnerability in
function unpackDocumentArchive() in core/document.cpp that can result in
arbitrary file creation on the user workstation. This attack appear to be
exploitable when the victim opens a specially crafted Okular archive. This
issue appears to have been corrected in version 18.08.1.


Upstream bug:
https://bugs.kde.org/show_bug.cgi?id=398096

Upstream patch:
https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47

Comment 1 Pedro Sampaio 2018-09-06 21:42:37 UTC
Created okular tracking bugs for this issue:

Affects: fedora-all [bug 1626266]

Comment 3 Riccardo Schirone 2018-10-01 12:46:27 UTC
In core/document.cpp:openDocumentArchive()/unpackDocumentArchive() there are not enough checks to prevent a maliciously crafted okular archive, with a name that traverses paths, from writing temporary files outside the target directory. The template/suffix of the temporary files names is determined from the document file name read in content.xml file, contained in the okular archive, without proper checks. This allows an attacker to set a name template/suffix with path traversals "../", thus creating temporary files anywhere the user can write to.

Comment 5 Riccardo Schirone 2018-10-01 12:59:21 UTC
Mitigation:

Check Okular archives with `unzip -l <archive-name>.okular` before opening them. Do not open them with Okular if they contain files with "../".

Comment 6 errata-xmlrpc 2020-03-31 19:30:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1173 https://access.redhat.com/errata/RHSA-2020:1173

Comment 7 Product Security DevOps Team 2020-03-31 22:33:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1000801


Note You need to log in before you can comment on or make changes to this bug.