It seems another error in claws-mail, not related to the xdg-utils
vulnerability. Please file a separate bug against the claws-mail
package. I ran "xdg-email --attach test.txt evil-t...@mymedia.su" via
strace and had the following in the terminal.
ubuntu@ubuntu:~$ LANG=C.UTF-8 apt-cache policy xdg-utils claws-mail
xdg-utils:
Installed: 1.1.3-2ubuntu1.20.04.2
Candidate: 1.1.3-2ubuntu1.20.04.2
Version table:
*** 1.1.3-2ubuntu1.20.04.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.3-2ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
claws-mail:
Installed: 3.17.5-2
Candidate: 3.17.5-2
Version table:
*** 3.17.5-2 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
100 /var/lib/dpkg/status
ubuntu@ubuntu:~$ echo qwerty >test.txt
ubuntu@ubuntu:~$ strace -s 256 -f -qq -e 'trace=%process' -e 'signal=!all' -P
`which claws-mail` env LANG=C.UTF-8 xdg-email --attach test.txt
evil-t...@mymedia.su
execve("/usr/bin/claws-mail", ["claws-mail",
"mailto:evil-t...@mymedia.su?attach=/home/ubuntu/test.txt";], 0x555673c99df0 /*
51 vars */) = 0
Gtk-Message: 19:53:06.153: Failed to load module "canberra-gtk-module"
/home/ubuntu/.claws-mail/toolbar_compose.xml: fopen: No such file or directory
(claws-mail:6012): Claws-Mail-WARNING **: 19:53:06.754: can't open signature
file: '/home/ubuntu/.signature'
ubuntu@ubuntu:~$
I had changed default mail application to Claws Mail. It displayed a
strange error message, "File Reply-To: doesn't exist or permission
denied". See my attached screenshot.
** Attachment added: "VirtualBox_KRika_12_01_2021_22_53_13.png"
https://bugs.launchpad.net/bugs/1909941/+attachment/5452402/+files/VirtualBox_KRika_12_01_2021_22_53_13.png
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1909941
Title:
xdg-email changes break simple-scan email functionality
Status in xdg-utils package in Ubuntu:
Confirmed
Bug description:
Observed on 16.04 to 20.04
xdg-email no longer actions "-attach filename" arguments when running
thunderbird following recent security fixes to protect against malicious use
from browser ( https://security-tracker.debian.org/tracker/CVE-2020-27748 and
https://ubuntu.com/security/CVE-2020-27748 )
This breaks simple-scan "send by email" functionality and other
applications too.
https://gitlab.gnome.org/GNOME/simple-scan/-/issues/216
https://forums.linuxmint.com/viewtopic.php?f=208&t=336053
https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 (see
comments)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xdg-utils/+bug/1909941/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
