[Python-apps-team] Bug#973426: A bug in bookletimposer could allow to maliciously modify its interface

ploup ploup at riseup.net
Fri Oct 30 11:13:00 GMT 2020 

Package: bookletimposer
Version: 2.0

### How to reproduce the bug

The following has been tested on Tails 4.11, which is based on Debian 10
(Buster).

 * Open a terminal somewhere (for example in the home directory)
 * Create a folder named "data" : `mkdir data`
 * Copy bookletimposer's data files to this folder : `cp
/usr/share/bookletimposer/* data`
 * Replace the file `data/bookletimposer.ui` by a maliciously crafted
file (an example malicious file should be attached to this bug report)
 * Start bookletimposer : `bookletimposer`
 * Bookletimposer's interface now includes a link named "Click me!",
which, when clicked on, opens the URL `https://example.com` in Tor
Browser (in a standard Debian installation, it would of course be opened
in the default web browser)

### Which versions are affected

The bug was tested on Tails 4.11, which ships bookletimposer 2.0.
Therefore, this bug report refers to the 2.0 version of the package
(especially when specific lines of code are mentioned).

However, the bug also affects the 3.0 version of the package, which is
the latest stable version of the software. Even though the problematic
source file was slightly changed in the 3.0 version, the same bug is
still present.

### How the bug works

When a `data` directory is present in the directory where bookletimposer
is launched, this `data` directory is used to retrieve bookletimposer's
data files, instead of using the normal directory
`/usr/share/bookletimposer`.

This behaviour is due to bookletimposer's `get_datadir` function, lines
49-53 of its `config.py` file. In Tails 4.11, this file is located at
`/usr/lib/python2.7/dist-packages/bookletimposer/config.py`.

### How the bug could be used by an attacker

Consider the following scenario :
 * An attacker prepares a malicious archive, containing :
   * a pdf file called `file.pdf`
   * a `data` directory that contains a maliciously crafted
`bookletimposer.ui` file
 * The attacker sends this archive to the victim, telling them to :
   * extract the archive
   * open the file browser and navigate to the location of the pdf file
   * right-click and choose "open in a terminal"
   * launch bookletimposer by typing `bookletimposer file.pdf`
 * The interface of bookletimposer shown to the victim has been modified
by the attacker, for example to add malicious URLs, malicious file:// or
mailto:// URIs, or to exhibit other incorrect behaviours.

Also, when bookletimposer is launched from an "Applications menu", then
its "current working directory" seems to be the user home directory. In
this case, the bug can be exploited by placing the malicious "data"
directory in the user home directory.

### Proposed fix (for the 2.0 version)

Rewrite the `get_datadir` function, at line 49 of the `config.py` file,
to remove the debug feature, which doesn't seem very useful anyway. The
idea would be to replace :

```
def get_datadir():
    if __debug__ and os.path.exists("data"):
        return "data"
    else:
        return os.path.join(get_sharedir(), "bookletimposer")
```

by:

```
def get_datadir():
    return os.path.join(get_sharedir(), "bookletimposer")
```

I haven't supplied a "patch" to implement my proposed fix because I
don't know how to do it and I wasn't sure if I was supposed to do it.

### Is the package still maintained?

I have contacted the maintainer of the package by email on 26th
september to make them aware of the bug, using the email address from
the package man page (kjo at a4nancy.net.eu.org). They haven't replied yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bookletimposer.ui
Type: application/x-designer
Size: 32362 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-apps-team/attachments/20201030/63ef3cc2/attachment-0001.bin>

More information about the Python-apps-team mailing list