On 11/27/2018 04:44 PM, Ken Moffat via blfs-dev wrote:
On Tue, Nov 27, 2018 at 10:40:37PM +0000, Ken Moffat via blfs-dev wrote:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000801
okular version 18.08 and earlier contains a Directory Traversal
vulnerability in function "unpackDocumentArchive(...)" in
"core/document.cpp" that can result in Arbitrary file creation on
the user workstation. This attack appear to be exploitable via he
victim must open a specially crafted Okular archive. This issue
appears to have been corrected in version 18.08.1
I started to look at this a few days ago, but eventually persuaded
myself that we were using 18.08.1 which is fixed. I'm obviously
getting flakier than I thought.
Now that I've built plasma (possibly - see support) I can see that I
had not downloaded the KF5 applications I build (most of what is in
the book, except kdenlive which I have no use for and where I loathe
its string of static-library dependencies, plus some others.
Correction - I also omit k3b, libkcddb, musicbrainz5.
Should we just update okular to 18.08.1 ? Or use 18.08.3 ?
Will try 18.08.3 when I get to that, if it builds on top of
everything else that is in current BLFS.
I think we can wait two weeks and I'll do all kde then.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
