==================================================================== CERT-Renater Note d'Information No. 2020/VULN479 _____________________________________________________________________ DATE : 31/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kleopatra versions prior to 20.04.3-r1. ===================================================================== https://security.gentoo.org/glsa/202008-21 _____________________________________________________________________ Kleopatra: Remote code execution — GLSA 202008-21 A vulnerability in Kleopatra allows arbitrary execution of code. Affected packages Package kde-apps/kleopatra on all architectures Affected versions < 20.04.3-r1 Unaffected versions >= 20.04.3-r1 Background Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Description Kleopatra did not safely escape command line parameters provided by URLs, which it configures itself to handle. Impact A remote attacker could entice a user to process a specially crafted URL via openpgp4fpr handler, possibly resulting in execution of arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround There is no known workaround at this time. Resolution All Kleopatra users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=kde-apps/kleopatra-20.04.3-r1" References CVE-2020-24972 Release date August 30, 2020 Latest revision August 30, 2020: 1 Severity normal Exploitable local, remote Bugzilla entries 739556 ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================