Lymphatus Caesium-Image-Compressor Arbitrary Code Execution Vulnerability

A vulnerability allowing local attackers to execute arbitrary code has been identified in Lymphatus Caesium-Image-Compressor, in all versions up to and including commit 02da2c6. The issue arises in the PostCompressionActions component, specifically within the shutdownMachine and putMachineToSleep functions. These functions use system calls to execute operating system commands, such as shutting down or putting the machine to sleep, which can be exploited to run arbitrary code.

Impact

Exploitation of this vulnerability allows for local arbitrary code execution on the affected machine.

Remediation

A public pull request has been submitted to address this vulnerability by replacing the unsafe system calls with QProcess::startDetached() using explicit argument lists, which avoids shell interpretation. The pull request can be found in the Lymphatus Caesium-Image-Compressor repository.