CVE-2023-51698: 
NixOS vulnerability analysis and mitigation

Atril, a simple multi-page document viewer, was found to contain a critical Command Injection Vulnerability (CVE-2023-51698). The vulnerability was discovered in January 2024 and affects all versions up to 1.26.3. This security flaw impacts multiple Linux distributions using MATE, Cinnamon, and some Xfce desktop environments, including Kali Linux, Parrot OS, Ubuntu-Mate, Xubuntu, Fedora, and Ubuntu Kylin (GitHub Advisory).

The vulnerability exists in Atril's CBT comic book parsing functionality, specifically in the handling of comic book documents (.cbr, .cbz, .cbt, .cb7). The issue stems from the use of shell commands for decompression in the comics-document.c file. The vulnerability can be exploited using a maliciously crafted CBT document (TAR archive) by leveraging the tar program's '--checkpoint-action' option to execute arbitrary commands. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD and 9.6 (CRITICAL) by GitHub (NVD, GitHub Advisory).

When exploited, this vulnerability allows attackers to gain immediate access to the target system when a user opens a crafted document or clicks on a crafted link/URL. The vulnerability is particularly dangerous due to the atril-previewer component, which can trigger the exploit without user interaction when visiting a malicious webpage. This can lead to remote code execution with the privileges of the user running Atril (GitHub Advisory).

A patch has been released in commit ce41df6, which eliminates the use of external commands for opening comic documents and uses libarchive instead. Various distributions have released security updates, including Fedora 38 (version 1.26.2-2.fc38) and Fedora 39 (version 1.26.2-1.fc39). Ubuntu has also released fixes for multiple versions (Fedora Update, GitHub Patch).