Headline
CVE-2023-1350: Fix RCE vulnerability on feed enrichment · lwindolf/liferea@8d8b5b9
A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.
Permalink
Browse files
Fix RCE vulnerability on feed enrichment
Currently there are a few places in the code that do not check URLs for the presence of a command prefix, allowing malicious websites to run any command in the local system.
Trying to run feed enrichment (i.e. after option “Extract full content from HTML5 and Google AMP” is enabled) in a subscription that produces this item:
<item>
<title>Check /tmp/bad-item-link.txt</title>
<link>|date >/tmp/bad-item-link.txt</link>
</item>
will cause Liferea to call update_request_new on URL “|date >/tmp/bad-item-link.txt” and then blindly run the command. A similar effect happens when running the feed enrichment in a item that links to a document like this:
<!DOCTYPE html>
<html>
<head>
<title>AMP URL RCE PoC</title>
<link rel="amphtml" href="|date > /tmp/bad-amp-url.txt">
</head>
<body>
Check the results in /tmp/bad-amp-url.txt
</body>
</html>
once Liferea tries to load the AMP URL.
There are other calls to update_request_* functions where URLs are validated correctly (e.g. in feed icons and comments) and do not trigger this vulnerability. Since the subscription update is the exception where feed commands are supported (and welcome!) I chose to lock this feature behind a non-persistent flag and only enable it when required. This is safer than adding the flag in updateOptions, which is usually reused in subordinate requests.
This failure exists since commits b828838 and b67dbba from Setember 2017.
- Loading branch information
Related news
Gentoo Linux Security Advisory 202407-3 - A vulnerability has been discovered in Liferea, which can lead to remote code execution. Versions greater than or equal to 1.12.10 are affected.