Package: mutt Version: 1.7.2-1+deb9u1 Severity: normal Dear Maintainer,
I found a problem in both the stretch and testing versions of mutt. I do not know if upstream is affected. Steps to replicate: 0 - LibreOffice probably needs to be installed 1 - Create a file called 'one two.doc' 2 - Use mutt to compose an email, and attach the 'one two.doc' file 3 - Try to view the attached file from the attachment screen (right before submitting) LibreOffice will try to open "one" and "two.doc" instead of "one two.doc". It would seem that the filename is being passed to the shell, without sanitizing. This can even be used to run code; luckily the problem is only seen when composing email, not when opening received attachments, so it's not much of a security issue. Thank you for your attention, please let me know if you need any more information. -- Package-specific info: NeoMutt 20170113 (1.7.2) Copyright (C) 1996-2016 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: Linux 4.9.0-8-amd64 (x86_64) libidn: 1.33 (compiled with 1.33) hcache backends: tokyocabinet Compiler: Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 6.3.0-18+deb9u1' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) Configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=\${prefix}/include' '--mandir=\${prefix}/share/man' '--infodir=\${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=\${prefix}/lib/x86_64-linux-gnu' '--libexecdir=\${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--with-mailpath=/var/mail' '--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--enable-sidebar' '--enable-nntp' '--enable-notmuch' '--disable-fmemopen' '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' '--with-tokyocabinet' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/mutt-bO92sq/mutt-1.7.2=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 -fdebug-prefix-map=/build/mutt-bO92sq/mutt-1.7.2=. -fstack-protector-strong -Wformat -Werror=format-security -fno-delete-null-pointer-checks Compile options: +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME +DEBUG +DL_STANDALONE +ENABLE_NLS -EXACT_ADDRESS -HOMESPOOL -LOCALES_HACK -SUN_ATTACHMENT +HAVE_BKGDSET +HAVE_COLOR +HAVE_CURS_SET +HAVE_FUTIMENS +HAVE_GETADDRINFO +HAVE_GETSID +HAVE_ICONV +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_LIBIDN +HAVE_META +HAVE_REGCOMP +HAVE_RESIZETERM +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_WC_FUNCS +ICONV_NONTRANS +USE_COMPRESSED +USE_DOTLOCK +USE_FCNTL -USE_FLOCK -USE_FMEMOPEN -USE_GNU_REGEX +USE_GSS +USE_HCACHE +USE_IMAP +USE_NOTMUCH +USE_NNTP +USE_POP +USE_SASL +USE_SETGID +USE_SIDEBAR +USE_SMTP +USE_SSL_GNUTLS -USE_SSL_OPENSSL -DOMAIN MIXMASTER="mixmaster" -ISPELL SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/usr/share/mutt" SYSCONFDIR="/etc" EXECSHELL="/bin/sh" patch-attach-headers-color-neomutt patch-compose-to-sender-neomutt patch-compress-neomutt patch-cond-date-neomutt patch-encrypt-to-self-neomutt patch-fmemopen-neomutt patch-forgotten-attachments-neomutt patch-forwref-neomutt patch-ifdef-neomutt patch-index-color-neomutt patch-initials-neomutt patch-keywords-neomutt patch-kyoto-neomutt patch-limit-current-thread-neomutt patch-lmdb-neomutt patch-multiple-fcc-neomutt patch-nested-if-neomutt patch-new-mail-neomutt patch-nntp-neomutt patch-notmuch-neomutt patch-progress-neomutt patch-quasi-delete-neomutt patch-reply-with-xorig-neomutt patch-sensible-browser-neomutt patch-sidebar-neomutt patch-skip-quoted-neomutt patch-status-color-neomutt patch-timeout-neomutt patch-tls-sni-neomutt patch-trash-neomutt To learn more about NeoMutt, visit: http://www.neomutt.org/ If you find a bug in NeoMutt, please raise an issue at: https://github.com/neomutt/neomutt/issues or send an email to: <neomutt-de...@neomutt.org> -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mutt depends on: ii libassuan0 2.4.3-2 ii libc6 2.24-11+deb9u3 ii libcomerr2 1.43.4-2 ii libgnutls30 3.5.8-5+deb9u3 ii libgpg-error0 1.26-2 ii libgpgme11 1.8.0-3+b2 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libidn11 1.33-1 ii libk5crypto3 1.15-1+deb9u1 ii libkrb5-3 1.15-1+deb9u1 ii libncursesw5 6.0+20161126-1+deb9u2 ii libnotmuch4 0.23.7-3 ii libsasl2-2 2.1.27~101-g0780600+dfsg-3 ii libtinfo5 6.0+20161126-1+deb9u2 ii libtokyocabinet9 1.4.48-11+b1 Versions of packages mutt recommends: ii libsasl2-modules 2.1.27~101-g0780600+dfsg-3 ii locales 2.24-11+deb9u3 ii mime-support 3.60 Versions of packages mutt suggests: ii aspell 0.60.7~20110707-3+b2 ii ca-certificates 20161130+nmu1+deb9u1 ii exim4-daemon-light [mail-transport-agent] 4.89-2+deb9u3 ii gnupg 2.1.18-8~deb9u2 ii ispell 3.4.00-5 pn mixmaster <none> ii openssl 1.1.0f-3+deb9u2 pn urlview <none> Versions of packages mutt is related to: ii mutt 1.7.2-1+deb9u1 -- no debconf information