CVE-2020-9359: 
NixOS vulnerability analysis and mitigation

KDE Okular before version 1.10.0 contains a vulnerability (CVE-2020-9359) that allows code execution via an action link in a PDF document. The vulnerability was discovered by Mickael Karatekin from Sysdream Labs and was disclosed on March 12, 2020 (KDE Advisory).

The vulnerability stems from a logic error in Okular's handling of action links within PDF documents. The issue allows the execution of local binaries through specially crafted PDF files with minimal user interaction. While the execution is restricted to running binaries without parameters, this could still pose a security risk (KDE Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability could allow an attacker to execute local binaries on the target system, though without the ability to pass parameters. While this limits the potential damage, it could still be dangerous if combined with other attacks that place malicious executables on the system. The KDE security team noted that actual damage would require a specially crafted binary to be already present on the system through other means (KDE Advisory).

The vulnerability was fixed in Okular version 1.10.0. Users are recommended to upgrade to this version or later. For those unable to upgrade immediately, the primary workaround is to avoid opening PDF files from untrusted sources. A patch was also made available through the KDE repository (KDE Commit). Various Linux distributions have released security updates to address this vulnerability, including Debian (Debian LTS) and Gentoo (Gentoo Advisory).