CVE-2020-24972: user/kleopatra: ACE through unsafe URL handler
| Bugzilla ID | 352 |
| Alias(es) | CVE-2020-24972 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-09-04 16:37:39 -0500 |
| Modified | 2020-09-22 22:32:59 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/kleopatra |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-24972 |
Description
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG
allows remote attackers to execute arbitrary code because openpgp4fpr:
URLs are supported without safe handling of command-line options. The
Qt platformpluginpath command-line option can be used to load an
arbitrary DLL.
Fixed in >= 20.07.80 https://invent.kde.org/pim/kleopatra/-/commit/b4bd63c1739900d94c04da03045e9445a5a5f54b