Fix CVE-2026-45184 (RCE via malicious project file)

Origin: upstream, https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685
Origin: upstream, https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd
Bug: https://kde.org/info/security/advisory-20260508-1.txt
Forwarded: not-needed
Last-Update: 2026-05-21

Gbp-Pq: Name 02-CVE-2026-45184.diff

diff --git a/src/jobs/proxytask.cpp b/src/jobs/proxytask.cpp
index f6c2dc2c22ffafaf08c04534f432feeb603811ae..5b6846369efd01911c068de0bcc2e669a4a6da12 100644 (file)
--- a/src/jobs/proxytask.cpp
+++ b/src/jobs/proxytask.cpp
@@ -259,12 +259,25 @@ void ProxyTask::run()
         }
         // Only output error data, make sure we don't block when proxy file already exists
         QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"),    QStringLiteral("-stats"),
-                                  QStringLiteral("-v"),           QStringLiteral("error"), QStringLiteral("-noautorotate")};
+                                  QStringLiteral("-v"),           QStringLiteral("error"), QStringLiteral("-noautorotate"),
+                                  QStringLiteral("-protocol_whitelist"), QStringLiteral("file,pipe")};
         m_jobDuration = int(binClip->duration().seconds());
         QString proxyParams = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyparams")).simplified();
         if (proxyParams.isEmpty()) {
             // Automatic setting, decide based on hw support
             proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+        } else {
+            // Sanitize parameters
+            const QStringList blockedParams = {
+                QStringLiteral("attach"), QStringLiteral("metadata"), QStringLiteral("null"),   QStringLiteral("dump"),
+                QStringLiteral("concat"), QStringLiteral("safe"),     QStringLiteral("ladspa"), QStringLiteral("protocol_whitelist")};
+            for (auto &b : blockedParams) {
+                if (proxyParams.contains(b)) {
+                    // Unwanted param found, discard parameters
+                    proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+                    break;
+                }
+            }
         }
         int proxyResize = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyresize")).toInt();
         bool nvenc = proxyParams.contains(QStringLiteral("%nvcodec"));