Bug#971866: buster-pu: package okular/4:17.12.2-2.2+deb10u1

Thu, 08 Oct 2020 12:19:14 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@debian.org

Low severity fix for Okular, which doesn't warrant a DSA.
I've tested with the reproducerand a number of other PDF
files that everything works as expected.

Cheers,
        Moritz

diff -Nru okular-17.12.2/debian/changelog okular-17.12.2/debian/changelog
--- okular-17.12.2/debian/changelog     2019-03-24 13:05:50.000000000 +0100
+++ okular-17.12.2/debian/changelog     2020-10-07 22:57:59.000000000 +0200
@@ -1,3 +1,9 @@
+okular (4:17.12.2-2.2+deb10u1) buster; urgency=medium
+
+  * CVE-2020-9359 (Closes: #954891)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Wed, 07 Oct 2020 22:57:59 +0200
+
 okular (4:17.12.2-2.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru okular-17.12.2/debian/patches/CVE-2020-9359.patch 
okular-17.12.2/debian/patches/CVE-2020-9359.patch
--- okular-17.12.2/debian/patches/CVE-2020-9359.patch   1970-01-01 
01:00:00.000000000 +0100
+++ okular-17.12.2/debian/patches/CVE-2020-9359.patch   2020-10-07 
22:57:20.000000000 +0200
@@ -0,0 +1,27 @@
+From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Tue, 10 Mar 2020 23:07:24 +0100
+Subject: [PATCH] Document::processAction: If the url points to a binary, don't
+ run it
+
+---
+ core/document.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/core/document.cpp b/core/document.cpp
+index 3215a1abc..0aa5b6980 100644
+--- a/core/document.cpp
++++ b/core/document.cpp
+@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action )
+                 {
+                     const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url);
+                     // KRun autodeletes
+-                    new KRun( realUrl, d->m_widget );
++                    KRun *r = new KRun( realUrl, d->m_widget );
++                    r->setRunExecutables(false);
+                 }
+             }
+             } break;
+-- 
+GitLab
+
diff -Nru okular-17.12.2/debian/patches/series 
okular-17.12.2/debian/patches/series
--- okular-17.12.2/debian/patches/series        2018-12-02 12:25:04.000000000 
+0100
+++ okular-17.12.2/debian/patches/series        2020-10-07 22:57:50.000000000 
+0200
@@ -1 +1,2 @@
 Fix-path-traversal-issue-when-extracting-an-.okular-.patch
+CVE-2020-9359.patch

Reply via email to