From: Jean-Baptiste Mardelle <jb@kdenlive.org>
Date: Thu, 21 May 2026 14:42:50 +0000 (+0200)
Subject: Fix CVE-2026-45184 (RCE via malicious project file)
X-Git-Tag: archive/raspbian/22.12.3-2+deb12u2+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=86a23efb996d97feb64945c84a40a2686ebf140c;p=kdenlive.git

Fix CVE-2026-45184 (RCE via malicious project file)

Origin: upstream, https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685
Origin: upstream, https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd
Bug: https://kde.org/info/security/advisory-20260508-1.txt
Forwarded: not-needed
Last-Update: 2026-05-21


Gbp-Pq: Name 02-CVE-2026-45184.diff
---

diff --git a/src/jobs/proxytask.cpp b/src/jobs/proxytask.cpp
index f6c2dc2c..5b684636 100644
--- a/src/jobs/proxytask.cpp
+++ b/src/jobs/proxytask.cpp
@@ -259,12 +259,25 @@ void ProxyTask::run()
         }
         // Only output error data, make sure we don't block when proxy file already exists
         QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"),    QStringLiteral("-stats"),
-                                  QStringLiteral("-v"),           QStringLiteral("error"), QStringLiteral("-noautorotate")};
+                                  QStringLiteral("-v"),           QStringLiteral("error"), QStringLiteral("-noautorotate"),
+                                  QStringLiteral("-protocol_whitelist"), QStringLiteral("file,pipe")};
         m_jobDuration = int(binClip->duration().seconds());
         QString proxyParams = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyparams")).simplified();
         if (proxyParams.isEmpty()) {
             // Automatic setting, decide based on hw support
             proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+        } else {
+            // Sanitize parameters
+            const QStringList blockedParams = {
+                QStringLiteral("attach"), QStringLiteral("metadata"), QStringLiteral("null"),   QStringLiteral("dump"),
+                QStringLiteral("concat"), QStringLiteral("safe"),     QStringLiteral("ladspa"), QStringLiteral("protocol_whitelist")};
+            for (auto &b : blockedParams) {
+                if (proxyParams.contains(b)) {
+                    // Unwanted param found, discard parameters
+                    proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+                    break;
+                }
+            }
         }
         int proxyResize = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyresize")).toInt();
         bool nvenc = proxyParams.contains(QStringLiteral("%nvcodec"));