Atril's CBT comic book parsing vulnerable to Remote Code Execution

Vulnerability

Atril, the default document viewer for the MATE desktop environment, contains a critical command injection vulnerability in its comic book document parsing code (comics-document.c). The vulnerability lies in the command_usage_def array which defines external command templates for decompressing archive formats. For CBT (TAR) archives, the template "%s -xOf" is used without sanitization, allowing an attacker to inject arbitrary shell commands via crafted filenames inside the archive. All versions of Atril up to the latest are affected. [1]

Exploitation

To exploit, an attacker creates a malicious CBT file (a TAR archive) containing a file with a crafted name that includes shell metacharacters. The victim must open this crafted document with Atril, or click a link that triggers its opening. No additional privileges are required beyond the user's environment. The injection occurs during the decompression process when Atril constructs and executes the command string using the unsanitized filename. [1]

Impact

Successful exploitation results in immediate remote code execution (RCE) with the privileges of the user running Atril. The attacker gains full control over the affected system, including access to user data, ability to install software, and potential lateral movement. This vulnerability is critical due to the low attack complexity and the widespread use of affected Linux distributions (e.g., Kali Linux, Ubuntu-Mate, Fedora Cinnamon). [1]

Mitigation

A fix is available in commit ce41df6 of the Atril repository, which replaces the custom command handling with the libarchive library to safely handle archive files. Users should upgrade Atril to a version that includes this patch. As of the publication date, no official release has been announced; however, distributions may backport the fix. No workaround is available. [4][1]