Control: tags 908168 + pending
Dear maintainer, I've prepared an NMU for okular (versioned as 4:17.12.2-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Simon, this is only in case it would be appreciated to have the fix via a NMU. In case you want me to drop it the above applies and I can happely drop it again. experimental would need the fix as well (or go to 18.08.1 directly with the fix. Regards, Salvatore
diff -Nru okular-17.12.2/debian/changelog okular-17.12.2/debian/changelog --- okular-17.12.2/debian/changelog 2018-02-22 06:57:20.000000000 +0100 +++ okular-17.12.2/debian/changelog 2018-12-02 12:27:39.000000000 +0100 @@ -1,3 +1,11 @@ +okular (4:17.12.2-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix path traversal issue when extracting an .okular file + (CVE-2018-1000801) (Closes: #908168) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 Dec 2018 12:27:39 +0100 + okular (4:17.12.2-2) unstable; urgency=medium * Team upload. diff -Nru okular-17.12.2/debian/patches/Fix-path-traversal-issue-when-extracting-an-.okular-.patch okular-17.12.2/debian/patches/Fix-path-traversal-issue-when-extracting-an-.okular-.patch --- okular-17.12.2/debian/patches/Fix-path-traversal-issue-when-extracting-an-.okular-.patch 1970-01-01 01:00:00.000000000 +0100 +++ okular-17.12.2/debian/patches/Fix-path-traversal-issue-when-extracting-an-.okular-.patch 2018-12-02 12:24:52.000000000 +0100 @@ -0,0 +1,50 @@ +From: Albert Astals Cid <aa...@kde.org> +Date: Mon, 3 Sep 2018 21:14:30 +0200 +Subject: Fix path traversal issue when extracting an .okular file +Origin: https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000801 +Bug-Debian: https://bugs.debian.org/908168 +Bug: https://bugs.kde.org/show_bug.cgi?id=398096 + +Summary: +With specially crafted .okular files you can trick okular to create temporary files outside the temporary folder + +We fix that by making sure the file doesn't have folders since the ones we create don't + +BUGS: 398096 + +Subscribers: okular-devel + +Tags: #okular + +Differential Revision: https://phabricator.kde.org/D15192 +--- + core/document.cpp | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/core/document.cpp b/core/document.cpp +index 5e3c169fcff3..7d461738657c 100644 +--- a/core/document.cpp ++++ b/core/document.cpp +@@ -4819,6 +4819,18 @@ ArchiveData *DocumentPrivate::unpackDocumentArchive( const QString &archivePath + return nullptr; + + const KArchiveDirectory * mainDir = okularArchive.directory(); ++ ++ // Check the archive doesn't have folders, we don't create them when saving the archive ++ // and folders mean paths and paths mean path traversal issues ++ for ( const QString &entry : mainDir->entries() ) ++ { ++ if ( mainDir->entry( entry )->isDirectory() ) ++ { ++ qWarning() << "Warning: Found a directory inside" << archivePath << " - Okular does not create files like that so it is most probably forged."; ++ return nullptr; ++ } ++ } ++ + const KArchiveEntry * mainEntry = mainDir->entry( QStringLiteral("content.xml") ); + if ( !mainEntry || !mainEntry->isFile() ) + return nullptr; +-- +2.20.0.rc1 + diff -Nru okular-17.12.2/debian/patches/series okular-17.12.2/debian/patches/series --- okular-17.12.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ okular-17.12.2/debian/patches/series 2018-12-02 12:25:04.000000000 +0100 @@ -0,0 +1 @@ +Fix-path-traversal-issue-when-extracting-an-.okular-.patch
