Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: p...@debian.org
Low severity fix for Okular, which doesn't warrant a DSA. I've tested with the reproducerand a number of other PDF files that everything works as expected. Cheers, Moritz
diff -Nru okular-17.12.2/debian/changelog okular-17.12.2/debian/changelog --- okular-17.12.2/debian/changelog 2019-03-24 13:05:50.000000000 +0100 +++ okular-17.12.2/debian/changelog 2020-10-07 22:57:59.000000000 +0200 @@ -1,3 +1,9 @@ +okular (4:17.12.2-2.2+deb10u1) buster; urgency=medium + + * CVE-2020-9359 (Closes: #954891) + + -- Moritz Mühlenhoff <j...@debian.org> Wed, 07 Oct 2020 22:57:59 +0200 + okular (4:17.12.2-2.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru okular-17.12.2/debian/patches/CVE-2020-9359.patch okular-17.12.2/debian/patches/CVE-2020-9359.patch --- okular-17.12.2/debian/patches/CVE-2020-9359.patch 1970-01-01 01:00:00.000000000 +0100 +++ okular-17.12.2/debian/patches/CVE-2020-9359.patch 2020-10-07 22:57:20.000000000 +0200 @@ -0,0 +1,27 @@ +From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aa...@kde.org> +Date: Tue, 10 Mar 2020 23:07:24 +0100 +Subject: [PATCH] Document::processAction: If the url points to a binary, don't + run it + +--- + core/document.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/core/document.cpp b/core/document.cpp +index 3215a1abc..0aa5b6980 100644 +--- a/core/document.cpp ++++ b/core/document.cpp +@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action ) + { + const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url); + // KRun autodeletes +- new KRun( realUrl, d->m_widget ); ++ KRun *r = new KRun( realUrl, d->m_widget ); ++ r->setRunExecutables(false); + } + } + } break; +-- +GitLab + diff -Nru okular-17.12.2/debian/patches/series okular-17.12.2/debian/patches/series --- okular-17.12.2/debian/patches/series 2018-12-02 12:25:04.000000000 +0100 +++ okular-17.12.2/debian/patches/series 2020-10-07 22:57:50.000000000 +0200 @@ -1 +1,2 @@ Fix-path-traversal-issue-when-extracting-an-.okular-.patch +CVE-2020-9359.patch