Bug 1815651 (CVE-2020-9359) - CVE-2020-9359 okular: local binary execution via specially crafted PDF files
Summary: CVE-2020-9359 okular: local binary execution via specially crafted PDF files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9359
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1815652 1815653 1821451
Blocks: 1815654
TreeView+ depends on / blocked
 
Reported: 2020-03-20 19:54 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 20:26 UTC (History)
5 users (show)

Fixed In Version: okular 1.10.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 22:00:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4024 0 None None None 2020-09-29 20:39:53 UTC

Description Guilherme de Almeida Suckevicz 2020-03-20 19:54:39 UTC
Okular can be tricked into executing local binaries via specially crafted PDF files.

References:
https://kde.org/info/security/advisory-20200312-1.txt

Upstream commit:
https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244

Comment 1 Guilherme de Almeida Suckevicz 2020-03-20 19:55:06 UTC
Created okular tracking bugs for this issue:

Affects: epel-8 [bug 1815653]
Affects: fedora-all [bug 1815652]

Comment 3 Marco Benatto 2020-04-06 20:46:39 UTC
External References:

https://kde.org/info/security/advisory-20200312-1.txt

Comment 4 Marco Benatto 2020-04-07 14:20:21 UTC
There's an issue on Okular. When processing actions taken by the user when reading a PDF file, Okular has the capability of open other link files. This is done using KRun() object from KDE API. The KRun() class, checks the mimetype and properly executed the requested action using the proper application and exits afterwards. It has the capability to open .desktop files and execute binaries by default. This creates a vulnerability on Okular due to the lack of restriction in types that can be executed, as the caller may explicitly set a KRun() class property to avoid it executing binaries. An attacker can leverage this weakness by creating a craft PDF file which has a URL pointing to a binary or a script which will be executed without the user notice it. User interaction is required as the user needs to be tricked to open the crafted PDF file and the impact will be restricted only to the Okular's running UID. As there's no way to call binaries that uses parameters and Okular runs as non-privileged users major impact is only possible whether the system is already compromised by another independent vulnerability. This causes confidentiality, integrity and availability impact to be considered Low.

Comment 6 Marco Benatto 2020-04-07 14:40:05 UTC
Mitigation:

There's no available mitigation other than don't open PDF files from untrusted sources.

Comment 7 errata-xmlrpc 2020-09-29 20:39:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4024 https://access.redhat.com/errata/RHSA-2020:4024

Comment 8 Product Security DevOps Team 2020-09-29 22:00:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9359


Note You need to log in before you can comment on or make changes to this bug.