From 9e9ddb954886d05d6fa42eb3e75adcfbf7eee3a4 Mon Sep 17 00:00:00 2001 From: rsadowski Date: Tue, 31 Mar 2020 05:01:46 +0000 Subject: [PATCH] Fix CVE-2020-9359 in okular Okular can be tricked into executing local binaries via specially crafted PDF files: https://nvd.nist.gov/vuln/detail/CVE-2020-9359 https://kde.org/info/security/advisory-20200312-1.txt --- x11/kde-applications/okular/Makefile | 4 ++-- .../okular/patches/patch-core_document_cpp | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 x11/kde-applications/okular/patches/patch-core_document_cpp diff --git a/x11/kde-applications/okular/Makefile b/x11/kde-applications/okular/Makefile index 640b2e51d74..753ebf4c2a1 100644 --- a/x11/kde-applications/okular/Makefile +++ b/x11/kde-applications/okular/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.9 2020/03/29 19:43:33 rsadowski Exp $ +# $OpenBSD: Makefile,v 1.10 2020/03/31 05:01:46 rsadowski Exp $ COMMENT = KDE document viewer DISTNAME = okular-${VERSION} CATEGORIES = textproc -REVISION = 0 +REVISION = 1 HOMEPAGE = https://okular.kde.org/ diff --git a/x11/kde-applications/okular/patches/patch-core_document_cpp b/x11/kde-applications/okular/patches/patch-core_document_cpp new file mode 100644 index 00000000000..4093bd42ab4 --- /dev/null +++ b/x11/kde-applications/okular/patches/patch-core_document_cpp @@ -0,0 +1,18 @@ +$OpenBSD: patch-core_document_cpp,v 1.1 2020/03/31 05:01:46 rsadowski Exp $ + +https://nvd.nist.gov/vuln/detail/CVE-2020-9359 +https://kde.org/info/security/advisory-20200312-1.txt + +Index: core/document.cpp +--- core/document.cpp.orig ++++ core/document.cpp +@@ -4352,7 +4352,8 @@ void Document::processAction( const Action * action ) + { + const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url); + // KRun autodeletes +- new KRun( realUrl, d->m_widget ); ++ KRun *r = new KRun( realUrl, d->m_widget ); ++ r->setRunExecutables(false); + } + } + } break;