Fwd: Notice about vulnerabilities in libappimage (and appimaged)

Wed Sep 16 23:26:05 BST 2020

----------  Missatge reenviat  ----------

Assumpte: Notice about vulnerabilities in libappimage (and appimaged)
Data: dimecres, 16 de setembre de 2020, 23:19:04 CEST
De: TheAssassin <theassassin at assassinate-you.net>
A: security at debian.org, security at kde.org, sgmoore at kde.org, hello at nxos.org, azubieta at mailbox.org, security at suse.de
CC: Simon Peter <probono at puredarwin.org>, re:fi.64 <rymg19 at gmail.com>

Hello everyone,

in July 2020, we've fixed vulnerabilities in libappimage [1] and
appimaged [2], two projects maintained by the AppImage team. Both
projects have been fixed upstream in the meantime.

libappimage didn't validate some non-trustworthy strings it embeds into
filenames, read from desktop entries embedded in AppImage. This could be
exploited into overwriting arbitrary files with malicious contents. The
issue was fixed in PR #146 [3]. We consider this bug to be of "medium"
severity.

Combined with a design decision in appimaged (which is, to automatically
integrate all files in specific directories, including ~/Downloads),
we've found appimaged to be especially easy to exploit. The reporter of
the issue managed to create a file that is not AppImage at a first
glance (an .mp3 file, to be precise), which however was indeed a
functional AppImage that was recognized by appimaged and integrated
automatically via libappimage. You can imagine that it's not too hard to
make people download e.g., .mp3 files, and they might not expect those
may install malware on their computers. Therefore, we consider this
issue to be of "high" severity.
Using a fixed libappimage with any version of appimaged fixes the issue
there, too. As far as we are concerned, the issue was therefore fixed by
rebuilding our official appimaged packages (which automatically fetch
the latest libappimage version).

The vulnerability in libappimage was assigned CVE-2020-25265, the issues
in appimaged were assigned CVE-2020-25266. According to the reporter of
these issues, the initial request was apparently lost, and the
resubmitted one received a response over 6 weeks after we fixed the
issue already...
We also forgot to notify distributions who might ship our software. The
CVEs have not been published yet to allow everyone to ship updates first.

Anyway. I see there's still lots of outdated/unsafe libappimage (and
some appimaged) packages out there, for instance:

- Debian stable, testing and unstable (via Repology [4])
- all distros which inherit packages from Debian (Ubuntu, Devuan, Kali,
Parrot, PureOS, Raspbian, ...)
- KDE neon (via Repology [4])
- openSUSE Leap 15.0-15.2 and Tumbleweed (via Repology [5])
- Nitrux (as far as I can see, e.g., Nitrux Software Center)

Please update libappimage, backport the fix or rebuild your appimaged
packages. Updates appreciated, so we know when to publish the CVEs.

Feel free to contact me if you have any questions.

Kind regards
The AppImage team

P.S.: A detailed analysis, based on the correspondence I had with the
reporter, will be published on my blog as soon as the CVEs will be
published.

[1] https://github.com/AppImage/libappimage/
[2] https://github.com/AppImage/appimaged/
[3] https://github.com/AppImage/libappimage/pull/146
[4] https://repology.org/project/libappimage/versions
[5] https://repology.org/project/appimaged/versions

-----------------------------------------