Hi everybody,
in case you are interested, this is the debdiff to fix CVE-2018-1000801
of okular in Stretch.
Thorsten
diff -Nru okular-16.08.2/debian/changelog okular-16.08.2/debian/changelog
--- okular-16.08.2/debian/changelog 2016-10-19 12:34:55.000000000 +0200
+++ okular-16.08.2/debian/changelog 2018-09-20 21:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+okular (4:16.08.2-1+deb9u1) stretch-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-1000801
+ Fix for a directory traversal vulnerability that can result in
+ arbitrary file creation on the user workstation.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Thu, 20 Sep 2018 21:03:02 +0200
+
okular (4:16.08.2-1) unstable; urgency=medium
[ Automatic packaging ]
diff -Nru okular-16.08.2/debian/patches/CVE-2018-1000801.patch
okular-16.08.2/debian/patches/CVE-2018-1000801.patch
--- okular-16.08.2/debian/patches/CVE-2018-1000801.patch 1970-01-01
01:00:00.000000000 +0100
+++ okular-16.08.2/debian/patches/CVE-2018-1000801.patch 2018-09-20
21:03:02.000000000 +0200
@@ -0,0 +1,45 @@
+From 8ff7abc14d41906ad978b6bc67e69693863b9d47 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Mon, 3 Sep 2018 21:14:30 +0200
+Subject: Fix path traversal issue when extracting an .okular file
+
+Summary:
+With specially crafted .okular files you can trick okular to create temporary
files outside the temporary folder
+
+We fix that by making sure the file doesn't have folders since the ones we
create don't
+
+BUGS: 398096
+
+Subscribers: okular-devel
+
+Tags: #okular
+
+Differential Revision: https://phabricator.kde.org/D15192
+---
+ core/document.cpp | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: okular-16.08.2/core/document.cpp
+===================================================================
+--- okular-16.08.2.orig/core/document.cpp 2018-09-19 12:35:09.690099888
+0200
++++ okular-16.08.2/core/document.cpp 2018-09-19 12:35:09.678099888 +0200
+@@ -4368,6 +4368,19 @@
+ return OpenError;
+
+ const KArchiveDirectory * mainDir = okularArchive.directory();
++
++ // Check the archive doesn't have folders, we don't create them when
saving the archive
++ // and folders mean paths and paths mean path traversal issues
++ //original: for ( const QString &entry : mainDir->entries() )
++ Q_FOREACH ( const QString &entry, mainDir->entries() )
++ {
++ if ( mainDir->entry( entry )->isDirectory() )
++ {
++ qWarning() << "Warning: Found a directory inside" << docFile << "
- Okular does not create files like that so it is most probably forged.";
++ return OpenError;
++ }
++ }
++
+ const KArchiveEntry * mainEntry = mainDir->entry( "content.xml" );
+ if ( !mainEntry || !mainEntry->isFile() )
+ return OpenError;
diff -Nru okular-16.08.2/debian/patches/series
okular-16.08.2/debian/patches/series
--- okular-16.08.2/debian/patches/series 2016-10-19 12:34:55.000000000
+0200
+++ okular-16.08.2/debian/patches/series 2018-09-20 21:03:02.000000000
+0200
@@ -1 +1,2 @@
temporarily_disable_failing_test
+CVE-2018-1000801.patch
