A vulnerability in Kleopatra allows arbitrary execution of code.
|Package||kde-apps/kleopatra on all architectures|
|Affected versions||< 20.04.3-r1|
|Unaffected versions||>= 20.04.3-r1|
Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.
Kleopatra did not safely escape command line parameters provided by URLs, which it configures itself to handle.
A remote attacker could entice a user to process a specially crafted URL via openpgp4fpr handler, possibly resulting in execution of arbitrary code with the privileges of the process, or cause a Denial of Service condition.
There is no known workaround at this time.
All Kleopatra users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=kde-apps/kleopatra-20.04.3-r1"
August 30, 2020
August 30, 2020: 1