CVE-2020-9359

NameCVE-2020-9359
DescriptionKDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2159-1, DLA-2856-1
Debian Bugs954891

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
okular (PTS)buster4:17.12.2-2.2+deb10u1fixed
bullseye4:20.12.3-2fixed
bookworm4:22.12.3-1fixed
trixie, sid4:23.08.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
okularsourcejessie4:4.14.2-2+deb8u2DLA-2159-1
okularsourcestretch4:16.08.2-1+deb9u2DLA-2856-1
okularsourcebuster4:17.12.2-2.2+deb10u1
okularsource(unstable)4:19.12.3-2954891

Notes

https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244
https://kde.org/info/security/advisory-20200312-1.txt
https://sysdream.com/news/lab/2020-03-24-cve-2020-9359-okular-command-execution/ (PoC)
Search for package or bug name: Reporting problems