user/kleopatra: CVE-2020-24972: ACE through unsafe URL handler
Bugzilla ID | 352 |
Alias(es) | CVE-2020-24972 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-09-04 16:37:39 -0500 |
Modified | 2020-09-22 22:32:59 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | user/kleopatra |
URL | https://nvd.nist.gov/vuln/detail/CVE-2020-24972 |
Description
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG
allows remote attackers to execute arbitrary code because openpgp4fpr:
URLs are supported without safe handling of command-line options. The
Qt platformpluginpath command-line option can be used to load an
arbitrary DLL.
Fixed in >= 20.07.80 https://invent.kde.org/pim/kleopatra/-/commit/b4bd63c1739900d94c04da03045e9445a5a5f54b