Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command injection vulnerability in CBT handler #257

Closed
hadess opened this issue Jul 13, 2017 · 3 comments
Closed

Command injection vulnerability in CBT handler #257

hadess opened this issue Jul 13, 2017 · 3 comments

Comments

@hadess
Copy link

hadess commented Jul 13, 2017
edited by flexiondotorg
Loading

Seeing as atril was a fork of evince, it has the same security issues that evince did:
https://bugzilla.gnome.org/show_bug.cgi?id=784630
@raveit65 raveit65 mentioned this issue Jul 14, 2017
Closed
raveit65 pushed a commit that referenced this issue Jul 15, 2017
@hadess @raveit65
comics: Remove support for tar and tar-like commands
cc0586a 
When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.

But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"

CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.

This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.

Discovered by Felix Wilhelm from the Google Security Team.

https://bugzilla.gnome.org/show_bug.cgi?id=784630

fixes #257
@raveit65 raveit65 mentioned this issue Jul 15, 2017
Closed
@raveit65
Copy link
Member

Thank you for info :-)

@sc0w
Copy link
Member

sc0w commented Jul 17, 2017

I am not sure how to reproduce the issue, please, someone can give us a vulnerable .cbt file?

In the gnome bug report:

This can be exploited by creating a tar archive with an embedded file named something
like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

how can I make that file?

@hadess
Copy link
Author

hadess commented Jul 17, 2017

Sorry, I'm not going to make reproducers available on public forums. I'd invite you to create your own reproducers, contact the GNOME security team, or any distribution's security team.

@sc0w sc0w mentioned this issue Jul 19, 2017
Closed
@hadess hadess mentioned this issue Jul 20, 2017
Closed
raveit65 pushed a commit that referenced this issue Jul 22, 2017
@sc0w @raveit65
comics: make the files containing "--checkpoint-action=" unsupported
213c878 
Fixes #257
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

comics: Remove support for tar and tar-like commands mate-desktop/atril
3 participants
@hadess @raveit65 @sc0w