Okular: Directory traversal — GLSA 201811-08

Okular is vulnerable to a directory traversal attack.

Affected packages

Package	kde-apps/okular on all architectures
Affected versions	< 18.04.3-r1
Unaffected versions	>= 18.04.3-r1

Background

Okular is a universal document viewer based on KPDF for KDE 4.

Description

It was discovered that Okular contains a Directory Traversal vulnerability in function unpackDocumentArchive() in core/document.cpp.

Impact

A remote attacker could entice a user to open a specially crafted Okular archive, possibly allowing the writing of arbitrary files with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Okular users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=kde-apps/okular-18.04.3-r1"

References

CVE-2018-1000801

Release date
November 10, 2018

Latest revision
November 10, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries

665662