Your message dated Fri, 12 Feb 2021 17:33:54 +0000
with message-id <[email protected]>
and subject line Bug#982614: fixed in tar 1.33+dfsg-1
has caused the Debian Bug report #982614,
regarding tar has mailcap entries with quoted %-escapes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982614
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tar
Version: 1.32+dfsg-1
Tags: patch, security
Dear Maintainer,
the tar package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
resulting in this Lintian tag (triggered by tar):
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
Mutt and s-nail also agree:
http://www.mutt.org/doc/manual/#secure-mailcap
https://www.sdaoden.eu/code-nail.html#37
If you think this is not important because mailcap is old and in the process to
be replaced with something better, believe me I wish for it to be gone as soon
as possible.
The problem is that we are still stuck with it:
1) the mime-support package has an install base of 99.36% (popcon), and there's
no way to disable auto generation of /etc/mailcap, so everyone has the rules;
2) some popular and useful mailcap-aware programs still exists, but even if you
wanted to avoid them there's no easy way for the user to be sure of doing so;
3) if a certain combination of mail user agent (or document opener) and mailcap
rule is used, you can own a machine just by making the user open a malicious
email, or a file with a malicious name.
RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30
years of bad security around mailcap, but you can see it from the examples:
https://tools.ietf.org/html/rfc1524#page-11
If you need more information let me know.
Thanks,
MNZ
diff --git a/debian/tar.mime b/debian/tar.mime
index 41929b4..485c173 100644
--- a/debian/tar.mime
+++ b/debian/tar.mime
@@ -1,3 +1,3 @@
-application/x-tar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
-application/x-gtar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
-application/x-ustar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
+application/x-tar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
+application/x-gtar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
+application/x-ustar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
--- End Message ---
--- Begin Message ---
Source: tar
Source-Version: 1.33+dfsg-1
Done: Janos Lenart <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Janos Lenart <[email protected]> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 Feb 2021 15:15:21 +0000
Source: tar
Architecture: source
Version: 1.33+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Janos Lenart <[email protected]>
Changed-By: Janos Lenart <[email protected]>
Closes: 982614
Changes:
tar (1.33+dfsg-1) unstable; urgency=medium
.
* New upstream version
* Removed unsafe escaping from mailcap-entry; closes: #982614
* Fixed trailing whitespaces in debian/{changelog,control,rules}
Checksums-Sha1:
272bc1e2c33fd9a27b30035274ac47241fc6655e 2015 tar_1.33+dfsg-1.dsc
147fe6c45c0a5a8c845ca3869a69b65ce2137bf3 1980492 tar_1.33+dfsg.orig.tar.xz
59c8fa2ae38f02aa310680d3ee43ace024c871b1 19132 tar_1.33+dfsg-1.debian.tar.xz
4be36e85c5132675d39b45c48b337a7141c4e35e 6562 tar_1.33+dfsg-1_amd64.buildinfo
Checksums-Sha256:
cf65a70e10ee9f0056539cb28186b49efabbae90974fa8592e7ba6c1353d20c2 2015
tar_1.33+dfsg-1.dsc
62057f2ccf651ee1011262fc280b374b566ae435abe2e2f34b60e206eb1d2b97 1980492
tar_1.33+dfsg.orig.tar.xz
da35ccff4600874ef3a05c411deec961afd692736ae33fc5715ad40cd7542bb8 19132
tar_1.33+dfsg-1.debian.tar.xz
e066efa215a5c0385b075639e94006efc8f480ce448a15b2e25011129a01fb94 6562
tar_1.33+dfsg-1_amd64.buildinfo
Files:
fc9b3e88b5f295e2d705f18566c7837e 2015 utils required tar_1.33+dfsg-1.dsc
cf7b1852c75097553f09bb46580c972f 1980492 utils required
tar_1.33+dfsg.orig.tar.xz
7213ebd12462768a119dea5efd8ff73f 19132 utils required
tar_1.33+dfsg-1.debian.tar.xz
e899a829393d3a3dc9ba4751268286ff 6562 utils required
tar_1.33+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEdo7cEyzfTA6B4wlSluMK3/PhXcMFAmAmtjUQHG9jc2lAZGVi
aWFuLm9yZwAKCRCW4wrf8+Fdw8lKEACGi6cfNBakV32KCnn5XQLXy/oNPQvHKIwJ
IOiQ+/ikwfR4CsxHsRW8bR7FOXyfurGKA5qe7ECyoJVUjxPCWqGiqCFhO7ZDFgVP
I9IfiSFaJU3CMRAW7yoU/i+o49gtE9Oka5CEYN3q3iLDl2j/dMQ8+4ehfTEkiv9w
IArZPiRNU8iWK7RtuMV09P4fo4bmqqMJuj4XfxlgY+kp6t2AyN9CPH+No/ShtPkO
alDfIS+RqFwHjdMyL7umww8EHNlELdm8UFnnD59rVhnxnEj7HA5DeLiqEbWVdOaZ
PgAHy5TAEqBvGQejBVw+tUHFnXmejApcEpJY+kuCCQr0cmb95XBThunwG93oQa5j
gy6C5+Ex0azTF9b3sYnpPVHDqx0nVKNjuOYs1/xJdYJQgLI5/PM+Yp847C1DgpBw
fXNCyzqdRuM2Sm72Wd8MxaZoxdsSx1D0zQE/6Ucw7Rgn7iVdQ7k5hR248UofMsUA
Vzvs7wF6S4DNmLSUnFJJwpg4yfaoxGQ8SoBV9WBPkyCIEBJCSbH4MZlXLsfsvCxZ
SDXBqPvHUdXWwUhP20kFF0iez8MgOnNMVgJ2cRExaxe1Ubt2zW6jjvx/u3CeZDFt
HIyhNkot/jlwotfZl4doRwDb7dF3vtGVQPhMaTv5LCoSBbNARA6TkKVTr/VFj+k/
4VZaNNBwnQ==
=NHg9
-----END PGP SIGNATURE-----
--- End Message ---