On Wednesday, September 16, 2020 2:19:04 PM MST TheAssassin wrote: > Hello everyone, > > in July 2020, we've fixed vulnerabilities in libappimage [1] and > appimaged [2], two projects maintained by the AppImage team. Both > projects have been fixed upstream in the meantime. > > libappimage didn't validate some non-trustworthy strings it embeds into > filenames, read from desktop entries embedded in AppImage. This could be > exploited into overwriting arbitrary files with malicious contents. The > issue was fixed in PR #146 [3]. We consider this bug to be of "medium" > severity. > > Combined with a design decision in appimaged (which is, to automatically > integrate all files in specific directories, including ~/Downloads), > we've found appimaged to be especially easy to exploit. The reporter of > the issue managed to create a file that is not AppImage at a first > glance (an .mp3 file, to be precise), which however was indeed a > functional AppImage that was recognized by appimaged and integrated > automatically via libappimage. You can imagine that it's not too hard to > make people download e.g., .mp3 files, and they might not expect those > may install malware on their computers. Therefore, we consider this > issue to be of "high" severity. > Using a fixed libappimage with any version of appimaged fixes the issue > there, too. As far as we are concerned, the issue was therefore fixed by > rebuilding our official appimaged packages (which automatically fetch > the latest libappimage version). > > The vulnerability in libappimage was assigned CVE-2020-25265, the issues > in appimaged were assigned CVE-2020-25266. According to the reporter of > these issues, the initial request was apparently lost, and the > resubmitted one received a response over 6 weeks after we fixed the > issue already... > We also forgot to notify distributions who might ship our software. The > CVEs have not been published yet to allow everyone to ship updates first. > > Anyway. I see there's still lots of outdated/unsafe libappimage (and > some appimaged) packages out there, for instance: > > - Debian stable, testing and unstable (via Repology [4]) > - all distros which inherit packages from Debian (Ubuntu, Devuan, Kali, > Parrot, PureOS, Raspbian, ...) > - KDE neon (via Repology [4]) > - openSUSE Leap 15.0-15.2 and Tumbleweed (via Repology [5]) > - Nitrux (as far as I can see, e.g., Nitrux Software Center) > > Please update libappimage, backport the fix or rebuild your appimaged > packages. Updates appreciated, so we know when to publish the CVEs. > > Feel free to contact me if you have any questions. > > Kind regards > The AppImage team > > P.S.: A detailed analysis, based on the correspondence I had with the > reporter, will be published on my blog as soon as the CVEs will be > published. > > [1] https://github.com/AppImage/libappimage/ > [2] https://github.com/AppImage/appimaged/ > [3] https://github.com/AppImage/libappimage/pull/146 > [4] https://repology.org/project/libappimage/versions > [5] https://repology.org/project/appimaged/versions
Sorry, just saw this, somehow missed my INBOX. Working on patch, new release delays due to lack of manpower. Scarlett -- Scarlett Moore gpg: 7C35 920F 1CE2 899E 8EA9 AAD0 2E7C 0367 B9BF A089 Software Engineer @ Blue Systems Debian Maintainer developer in training. Netrunner PM KDE Developer
signature.asc
Description: This is a digitally signed message part.
-- https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-talk
