Security: Arbitrary shell command injection through PDF import or unpaper preprocessing

Digging further, I was able to expand on this. ocrfeeder also uses Python's subprocess.run(cmd, shell=True) when it converts pdf files to images (see https://gitlab.gnome.org/GNOME/ocrfeeder/-/blob/master/src/ocrfeeder/util/lib.py#L104). While quotation marks are used, nothing prevents us from injecting a subshell into the filename.

Proof of Concept:
- keep settings -> tools -> unpaper images turned OFF
- create a PDF file with name `foo$(nautilus).pdf`
- Import the PDF file
- `nautilus` is started

The vulnerability causes the subshell to be started when orcfeeder invokes `gs` to convert the PDF file into individual images. This vector is slightly more effective, since it doesn't require the user to have the unpaper option turned on.

EDIT: This was apparently fixed upstream in https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/5286120c8bc8b7ba74e0f9b19b5262b509f38cee but the version in the package repository is still affected.

Thanks for reporting this vulnerability to the upstream project and for linking to the fix upstream - perhaps the best way forward might be to either ask the upstream project if they want to request a CVE for this issue OR to do so yourself via https://cveform.mitre.org/ - once a CVE is assigned all distros will then be alerted to the issue and can work on patching it as part of their regular security update process.

If a CVE is assigned please let us know - also since this fix is already public, would you be happy for this bug report to also be made public?

To be clear: The fix in 5286120c only applies to the vector described in the addendum. The unpaper method from the initial report is still viable on master (51952ab8 as of 2022-02-21). I am not aware of any fix for this method being published before. My proposed fix has not yet been accepted upstream. Hence, I suggest that the bug be kept private until the fix is published in the upstream repository.

I have reached out to the upstream maintainers regarding CVE assignment and will report back when this process completes.

Excellent - thanks for the clarification - we will wait to hear more from you regarding CVE assignment and upstream patching. Thanks.

Hello René, have you heard anything from upstream on this recently?

Thanks

Hi, unfortunately no. Neither any comment about the vulnerability, nor any activity regarding my proposed fix.

That's unfortunate; it might be worth opening the bugs here and there so the wider community has an opportunity to work on a fix. If you haven't communicated lately, could you give them a poke?

Thanks

I dug around a bit and found their private email. I have a reply now – Turns out that the maintainer had gitlab notifications turned off. The general statement is that ocrfeeder "is pretty much unmaintained", but that they will review my proposed patch before Monday. I'll report back as soon as I hear about the review.

ocrfeeder also seems to be looking for a new upstream maintainer (I've been asked, but I'm afraid I will be unable to take on this responsibility with my current workload.)

Good news: The maintainer was very quick to review the fix, this is being merged upstream now. Once this is done, I think we can make this bug public.

So far no consensus on CVE assignment yet, I'm on it.

https://gitlab.gnome.org/GNOME/ocrfeeder/-/tags/0.8.5 has just been released with the fix. CVE request is still pending.

CVE-2022-27811 has just been assigned to this vulnerability. What would be the next step in the process of getting the new release packaged and shipped?

On the details page to CVE-2022-27811 (https://ubuntu.com/security/CVE-2022-27811) I've just seen alexmurray's comment "https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/5286120c8bc8b7ba74e0f9b19b5262b509f38cee may also be needed for additional hardening".

I would consider the changes introduced in the mentioned commit to be unnecessary (though I am certainly open for a counter-argument!), which is why my patch in 9209bce8afaf6fde19cdac7f5eaea1b744c3e79e replaces a significant portion of that code. The original code would try to symlink the input PDF file such that the symlink would not contain any shell metacharacters. While this works around the second attack vector (#1), I consider this a rather contrived hack that does not solve the underlying problem, which is the improper handling of the ghostscript invocation's arguments. With proper argument handling, I do not see any benefit in continuing to use that hack.

Thanks for the clarification - this makes sense, I'll remove it.

The currently shipped package is still vulnerable about a year after this report. What can I do to speed things up?