From: Jean-Baptiste Mardelle <jb@kdenlive.org>
Date: Thu, 21 May 2026 08:43:39 +0000 (+0200)
Subject: Fix CVE-2026-45184 (RCE via malicious project file)
X-Git-Tag: archive/raspbian/24.12.3-2+rpi1+deb13u1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=871a556cc7eccead3b7d0292a97f558180009cbe;p=kdenlive.git

Fix CVE-2026-45184 (RCE via malicious project file)

Origin: upstream, https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685
Origin: upstream, https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd
Bug: https://kde.org/info/security/advisory-20260508-1.txt
Forwarded: not-needed
Last-Update: 2026-05-21


Gbp-Pq: Name 02-CVE-2026-45184.diff
---

diff --git a/src/jobs/proxytask.cpp b/src/jobs/proxytask.cpp
index c8165d65..4190343f 100644
--- a/src/jobs/proxytask.cpp
+++ b/src/jobs/proxytask.cpp
@@ -231,8 +231,10 @@ void ProxyTask::run()
             return;
         }
         // Only output error data, make sure we don't block when proxy file already exists
-        QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"), QStringLiteral("-stats"), QStringLiteral("-v"),
-                                  QStringLiteral("error")};
+        QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"),    QStringLiteral("-stats"),
+                                  QStringLiteral("-v"),           QStringLiteral("error"), QStringLiteral("-protocol_whitelist"),
+                                  QStringLiteral("file,pipe")};
+
         m_jobDuration = int(binClip->duration().seconds());
         if (binClip->hasProducerProperty(QStringLiteral("kdenlive:camcorderproxy"))) {
             // ffmpeg -an -i proxy.mp4 -vn -i original.MXF -map 0:v -map 1:a -c:v copy out.MP4
@@ -247,6 +249,18 @@ void ProxyTask::run()
             if (proxyParams.isEmpty()) {
                 // Automatic setting, decide based on hw support
                 proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+            } else {
+                // Sanitize parameters
+                const QStringList blockedParams = {
+                    QStringLiteral("attach"), QStringLiteral("metadata"), QStringLiteral("null"),   QStringLiteral("dump"),
+                    QStringLiteral("concat"), QStringLiteral("safe"),     QStringLiteral("ladspa"), QStringLiteral("protocol_whitelist")};
+                for (auto &b : blockedParams) {
+                    if (proxyParams.contains(b)) {
+                        // Unwanted param found, discard parameters
+                        proxyParams = pCore->currentDoc()->getAutoProxyProfile();
+                        break;
+                    }
+                }
             }
             int proxyResize = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyresize")).toInt();
             if (!proxyParams.contains(QLatin1String("mjpeg")) && !proxyParams.contains(QLatin1String("mpeg2video"))) {