On Tue, Nov 27, 2018 at 10:40:37PM +0000, Ken Moffat via blfs-dev wrote: > https://nvd.nist.gov/vuln/detail/CVE-2018-1000801 > > okular version 18.08 and earlier contains a Directory Traversal > vulnerability in function "unpackDocumentArchive(...)" in > "core/document.cpp" that can result in Arbitrary file creation on > the user workstation. This attack appear to be exploitable via he > victim must open a specially crafted Okular archive. This issue > appears to have been corrected in version 18.08.1 > > I started to look at this a few days ago, but eventually persuaded > myself that we were using 18.08.1 which is fixed. I'm obviously > getting flakier than I thought. > > Now that I've built plasma (possibly - see support) I can see that I > had not downloaded the KF5 applications I build (most of what is in > the book, except kdenlive which I have no use for and where I loathe > its string of static-library dependencies, plus some others. >
Correction - I also omit k3b, libkcddb, musicbrainz5. > Should we just update okular to 18.08.1 ? Or use 18.08.3 ? > Will try 18.08.3 when I get to that, if it builds on top of everything else that is in current BLFS. ĸen -- If a man stands before a mirror and sees in it his reflection, what he sees is not a true reproduction, but a picture of himself when he was a younger man. -- de Selby -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
