aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart Ribbers <bribbers@disroot.org>2020-03-12 20:52:55 +0100
committerLeo <thinkabit.ukim@gmail.com>2020-03-14 14:33:14 -0300
commit6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (patch)
tree1534367d0857ffa889251c4c5ad491913941a24d
parentca6e5756c35ec262e609f36f858abc504aba0fe1 (diff)
community/okular: security upgrade to 19.08.3-r1
Diffstat
-rw-r--r--community/okular/APKBUILD13
-rw-r--r--community/okular/CVE-2020-9359.patch27
2 files changed, 37 insertions, 3 deletions
diff --git a/community/okular/APKBUILD b/community/okular/APKBUILD
index 5a11c239ebd..91c14fba55c 100644
--- a/community/okular/APKBUILD
+++ b/community/okular/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=okular
pkgver=19.08.3
-pkgrel=0
+pkgrel=1
arch="all"
url="https://kde.org/applications/office/org.kde.okular"
pkgdesc="A universal document viewer"
@@ -14,9 +14,15 @@ makedepends="extra-cmake-modules qt5-qtbase-dev qt5-qtspeech-dev karchive-dev
kactivities-dev phonon-dev purpose-dev zlib-dev poppler-qt5-dev
kirigami2-dev qca-dev kpty-dev"
checkdepends="xvfb-run"
-source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz"
+source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz
+ CVE-2020-9359.patch
+ "
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-mobile"
+# secfixes:
+# 19.08.3-r1:
+# - CVE-2020-9359
+
prepare() {
default_prepare
@@ -59,4 +65,5 @@ mobile() {
mv "$pkgdir"/usr/share/applications/org.kde.mobile.okular_plucker.desktop "$subpkgdir"/usr/share/applications/
}
-sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa okular-19.08.3.tar.xz"
+sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa okular-19.08.3.tar.xz
+2d8870f1aa63defcf2ecfd42c0dfb0d474af6885c2448566704795d7caa2e9c20e5ede284db58139ea5736d5d0074d23c023a89f359d09fd6051d1f03f561903 CVE-2020-9359.patch"
diff --git a/community/okular/CVE-2020-9359.patch b/community/okular/CVE-2020-9359.patch
new file mode 100644
index 00000000000..e7d72487621
--- /dev/null
+++ b/community/okular/CVE-2020-9359.patch
@@ -0,0 +1,27 @@
+From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 10 Mar 2020 23:07:24 +0100
+Subject: [PATCH] Document::processAction: If the url points to a binary, don't
+ run it
+
+---
+ core/document.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/core/document.cpp b/core/document.cpp
+index 3215a1abc..0aa5b6980 100644
+--- a/core/document.cpp
++++ b/core/document.cpp
+@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action )
+ {
+ const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url);
+ // KRun autodeletes
+- new KRun( realUrl, d->m_widget );
++ KRun *r = new KRun( realUrl, d->m_widget );
++ r->setRunExecutables(false);
+ }
+ }
+ } break;
+--
+2.24.1
+
generated by cgit v1.2.3 (git 2.41.0) at 2023-11-29 13:26:32 +0000