Your message dated Thu, 25 Feb 2021 18:48:38 +0000
with message-id <[email protected]>
and subject line Bug#982060: fixed in mailcap 3.69
has caused the Debian Bug report #982060,
regarding run-mailcap: special characters in file names break "open"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982060
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mailcap
Version: 3.68
Tags: security
Dear Maintainer,
run-mailcap fails if run as "open" on file names containing special characters.
It also allows shell command injection from file names (again:
https://www.debian.org/security/2014/dsa-3114).
Example:
$ echo 'text/plain; ls -l %s' >~/.mailcap
$ file='foo bar.txt'
$ touch "$file"
$ run-mailcap "$file" # ok
lrwxrwxrwx 1 mnz mnz 21 Feb 5 04:40 /tmp/tmp.34oUM9lQ1a -> '/home/mnz/foo
bar.txt'
$ open "$file" # broken
ls: cannot access '/home/mnz/foo': No such file or directory
ls: cannot access 'bar.txt': No such file or directory
Warning: program returned non-zero exit code #512
$ file='$(rm -fr *).txt'
$ touch "$file"
$ run-mailcap "$file" # ok (the 'rm' is not executed)
lrwxrwxrwx 1 mnz mnz 25 Feb 5 04:43 /tmp/tmp.LkHbZAUlGQ -> '/home/mnz/$(rm -fr
*).txt'
$ open "$file" # successful injection (the 'rm' is executed)
ls: cannot access '/home/mnz/.txt': No such file or directory
Warning: program returned non-zero exit code #512
--
The problem originates from this commit:
https://salsa.debian.org/debian/mailcap/-/commit/66f82f13d86d565ebe249a8b56da8dd0cb63e2ef
> Prevent run-mailcap from creating a temporary copy when run as "open".
It's not a temporary copy but a temporary symlink. The TempFile function is
only used to generate a name for the link.
Currently run-mailcap makes temporary copies only when decompressing or reading
from standard input.
The man page is giving false information, please fix this too:
SECURITY
A temporary copy of the file is opened if the file name matches the
Perl regular expression "[^[:alnum:],.:/@%^+=_-]", in order to protect
from the injection of shell commands, and to make sure that the name
can always be displayed in the current locale.
An alternative to making a temporary symlink would be to properly quote special
characters in the file name (as described here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980345).
Thanks,
MNZ
--- End Message ---
--- Begin Message ---
Source: mailcap
Source-Version: 3.69
Done: Charles Plessy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mailcap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Charles Plessy <[email protected]> (supplier of updated mailcap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Feb 2021 03:24:36 +0900
Source: mailcap
Architecture: source
Version: 3.69
Distribution: unstable
Urgency: high
Maintainer: Mime-Support Packagers
<[email protected]>
Changed-By: Charles Plessy <[email protected]>
Closes: 982060
Changes:
mailcap (3.69) unstable; urgency=high
.
7e52733 Revert 66f82f1 that broke opening of file names with unquoted
characters and created a possibility to inject arbitrary
commmands. Thanks to Marriott NZ (Closes: #982060)
831845e Correct inaccuracy in run-mailcap's manual page.
Thanks to Marriott NZ
Checksums-Sha1:
627a15d9970bf7a103f0ebf00b6c6c98921862cf 1547 mailcap_3.69.dsc
8f89a6a44b9d731652e2b932a35d980694449267 26644 mailcap_3.69.tar.xz
d8b029efb4104fcdafc96e0e7593cd63f3e1fcbd 4407 mailcap_3.69_source.buildinfo
Checksums-Sha256:
dce5adca35e7a81bf53fb856adff796c1926f9690c499b3a06a69f28122d2e05 1547
mailcap_3.69.dsc
969c6e24d861f1c50203d93f8b5ddc680a2e2c3fd84de489b1b65baad92120cb 26644
mailcap_3.69.tar.xz
8a220d018e0d1726bd220d008e29276ec978d83b247e5e0ad4244afbc8334a65 4407
mailcap_3.69_source.buildinfo
Files:
b69b659bf35c05eda21e1804dd8e477b 1547 utils optional mailcap_3.69.dsc
bdf46dbc2030222b70daeeabad7072c6 26644 utils optional mailcap_3.69.tar.xz
1bb0f50c9a73f09dea1ef0a1305b2d12 4407 utils optional
mailcap_3.69_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc0cUmcxg7Z7ugFlGxb1sjyKV1QIFAmA37LIACgkQxb1sjyKV
1QKduw//c5NL/rPiIewyephiRYYWY1TytqmN7LeOdXtGuJUGR5U5BAE8iUMJpRbk
3E+rvQK1B7JuOBiOeUyOG+Vj232p9VEEynCGezJH6s74/3MIYaw4jzbnZevSA64u
nkH0rdGQ0q45nMXGYchyMmo3i8d0bIU7Qm/A19FBd4b58b0gXcDW+2Pb9394nDjC
OAQtG26hGs+2NDQmix1I13jk+K8PG3MpuWRajmS4QQ4FIB/1izvj72bjk43YnQIM
dqyKky5bEA0oQmvmCuQWp/Y4pqurVL7VzxOEQpsryAVE22HVDisJ5WGX8S1emIkK
YaqYuGe8YmE8DDcs5XVN5h/cj2x5LHJFCvrQ+UtVtPnpl3PLsqhDrk+L2fFCO3sX
Tr14N54WYKgSvmoH3ZlX3MQSU0SFhpgrzOuMf0WKWiTonENwcDWDyxEQS9zhqmhQ
DsoEcAmdDlCkUyRFLL6QoU7lc5ksbbZtA3K10HVmV06EEfVtwtkVWpAdMyf1iPFm
XnzFnXm+AA3djca3LZZ22fDLMeiqJykPntjUts72ER16VEg47DFfFmwbKTkmeAGm
IYQ6xUGW/KFC7zR7z92IWaPKTWh1DpwwsTOdoPAW8oFYkBv62vE667s2N6QeG/Mu
VUdNEgK+myRsR8pZW8yuX1vwB8vd0S3U7ehHPHyKTV+le0wwwAQ=
=Skf4
-----END PGP SIGNATURE-----
--- End Message ---