diff options
author | Eric Hameleers <alien@slackware.com> | 2020-03-20 10:34:34 +0100 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2020-03-20 10:34:34 +0100 |
commit | 05f4009a4a1497d3cc553b865b1617c4d38b005f (patch) | |
tree | f31c0cf40a0a3ae280b1c1958bc9b130624501cb /kde/patch | |
parent | 4545d1e713e90498254656ed03c18fc618b2f251 (diff) | |
download | ktown-05f4009a4a1497d3cc553b865b1617c4d38b005f.tar.gz ktown-05f4009a4a1497d3cc553b865b1617c4d38b005f.tar.xz |
okular: addresss and fix CVE-2020-9359
Diffstat (limited to 'kde/patch')
-rw-r--r-- | kde/patch/okular.patch | 3 | ||||
-rw-r--r-- | kde/patch/okular/cve-2020-9359.patch | 32 |
2 files changed, 35 insertions, 0 deletions
diff --git a/kde/patch/okular.patch b/kde/patch/okular.patch new file mode 100644 index 0000000..0c7d444 --- /dev/null +++ b/kde/patch/okular.patch @@ -0,0 +1,3 @@ +# Address CVE-2020-9359 (repaired in 20.04.0): +cat $CWD/patch/okular/cve-2020-9359.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } + diff --git a/kde/patch/okular/cve-2020-9359.patch b/kde/patch/okular/cve-2020-9359.patch new file mode 100644 index 0000000..d82c91c --- /dev/null +++ b/kde/patch/okular/cve-2020-9359.patch @@ -0,0 +1,32 @@ +Okular: Local binary execution via action links +CVE: CVE-2020-9359 + +Okular can be tricked into executing local binaries via specially crafted +PDF files. +This binary execution can require almost no user interaction. +No parameters can be passed to those local binaries. +We have not been able to identify any binary that will cause actual damage, +be it in the hardware or software level, when run without parameters. + +We remain relatively confident that for this issue to do any actual damage, +it has to run a binary specially crafted. That binary must have been deployed +to the user system via another method, be it the user downloading it directly +as an email attachment, webpage download, etc. or by the system being +already compromised. + + +diff --git a/core/document.cpp b/core/document.cpp +index 3215a1abce6292a6cc25c5f8b645232c92d75ec5..0aa5b698019a2660f2d6baabd54cef1e82002b0e 100644 +--- a/core/document.cpp ++++ b/core/document.cpp +@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action ) + { + const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url); + // KRun autodeletes +- new KRun( realUrl, d->m_widget ); ++ KRun *r = new KRun( realUrl, d->m_widget ); ++ r->setRunExecutables(false); + } + } + } break; + |