Package: man-db
Version: 2.9.4-1
Tags: patch, security
Dear Maintainer,
the man-db package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
resulting in this Lintian tag (triggered by man-db):
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
Mutt and s-nail also agree:
http://www.mutt.org/doc/manual/#secure-mailcap
https://www.sdaoden.eu/code-nail.html#37
If you think this is not important because mailcap is old and in the process to
be replaced with something better, believe me I wish for it to be gone as soon
as possible.
The problem is that we are still stuck with it:
1) the mime-support package has an install base of 99.36% (popcon), and there's
no way to disable auto generation of /etc/mailcap, so everyone has the rules;
2) some popular and useful mailcap-aware programs still exist, but even if you
wanted to avoid them there's no easy way for the user to be sure of doing so;
3) if a certain combination of mail user agent (or document opener) and mailcap
rule is used, you can own a machine just by making the user open a malicious
email, or a file with a malicious name.
RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30
years of bad security around mailcap, but you can see it from the examples:
https://tools.ietf.org/html/rfc1524#page-11
If you need more information let me know.
Thanks,
MNZ
diff --git a/debian/mime b/debian/mime
index 3168d4a..7da0245 100644
--- a/debian/mime
+++ b/debian/mime
@@ -19,15 +19,15 @@
# "test -e gxditview" because it's in the "groff" package which is
# only a Suggests of man-db and so may not be available.
-application/x-troff-man; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6
-text/troff; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6
-application/x-troff-man; /usr/bin/man -l '%s'; needsterminal; description=Man page; priority=6
-text/troff; /usr/bin/man -l '%s'; needsterminal; description=Man page; priority=6
+application/x-troff-man; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6
+text/troff; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6
+application/x-troff-man; /usr/bin/man -l %s; needsterminal; description=Man page; priority=6
+text/troff; /usr/bin/man -l %s; needsterminal; description=Man page; priority=6
# "-Tascii" gives backspace overstriking, so use "col -b" to undo
# that. Piping to col also means "man" has a non-tty output and so
# does not run its usual "more" etc pager, ensuring this entry is
# non-interactive.
#
-application/x-troff-man; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page; priority=2
-text/troff; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page; priority=2
+application/x-troff-man; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page; priority=2
+text/troff; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page; priority=2
