Description
Xreader 4.6.3 (commit ef5a50d) passes the raw PDF attachment filename directly to g_file_get_child() when saving attachments via "Save Attachment As...". Since g_file_get_child() resolves ../ sequences, an attacker-controlled filename can escape the user-selected target directory and write files to arbitrary locations with the exact filename specified by the attacker — no random suffix.
This is the most critical of the attachment vulnerabilities, as it enables writing .desktop files (or any other file) with precise names to arbitrary locations, leading to arbitrary code execution.
Affected Code
shell/ev-window.c:7374:
save_to = g_file_get_child(target_file, ev_attachment_get_name(attachment));
shell/ev-window.c:7400:
dest_file = g_file_get_child(target_file, ev_attachment_get_name(attachment));
Both the local and remote save paths use the unsanitized attachment name.
Steps to Reproduce
- Generate a malicious PDF using the PoC script from the full report — the attachment is named
../Desktop/test.desktop and contains a valid .desktop entry that executes an arbitrary command
- Open
poc.pdf in xreader
- In the sidebar, right-click the attachment and select "Save Attachment As..."
- Select any directory (e.g.,
~/Documents/)
test.desktop is written to ~/Desktop/ instead of the selected directory- Double-clicking the
.desktop file executes the embedded command
Suggested Fix
Extract the basename before passing to g_file_get_child() in both code paths:
// line 7374
-save_to = g_file_get_child(target_file, ev_attachment_get_name(attachment));
+gchar *basename = g_path_get_basename(ev_attachment_get_name(attachment));
+save_to = g_file_get_child(target_file, basename);
+g_free(basename);
// line 7400
-dest_file = g_file_get_child(target_file, ev_attachment_get_name(attachment));
+gchar *basename = g_path_get_basename(ev_attachment_get_name(attachment));
+dest_file = g_file_get_child(target_file, basename);
+g_free(basename);
Impact
An attacker can write files with exact names to arbitrary locations on the filesystem. By writing a .desktop file to ~/Desktop/, arbitrary code execution is achieved when the user double-clicks it. The only user interaction required is opening the PDF, right-clicking the attachment, selecting "Save As", and choosing any directory.
References
Description
Xreader 4.6.3 (commit ef5a50d) passes the raw PDF attachment filename directly to
g_file_get_child()when saving attachments via "Save Attachment As...". Sinceg_file_get_child()resolves../sequences, an attacker-controlled filename can escape the user-selected target directory and write files to arbitrary locations with the exact filename specified by the attacker — no random suffix.This is the most critical of the attachment vulnerabilities, as it enables writing
.desktopfiles (or any other file) with precise names to arbitrary locations, leading to arbitrary code execution.Affected Code
shell/ev-window.c:7374:shell/ev-window.c:7400:Both the local and remote save paths use the unsanitized attachment name.
Steps to Reproduce
../Desktop/test.desktopand contains a valid.desktopentry that executes an arbitrary commandpoc.pdfin xreader~/Documents/)test.desktopis written to~/Desktop/instead of the selected directory.desktopfile executes the embedded commandSuggested Fix
Extract the basename before passing to
g_file_get_child()in both code paths:Impact
An attacker can write files with exact names to arbitrary locations on the filesystem. By writing a
.desktopfile to~/Desktop/, arbitrary code execution is achieved when the user double-clicks it. The only user interaction required is opening the PDF, right-clicking the attachment, selecting "Save As", and choosing any directory.References