Bug#987691: imagemagick has mailcap entries with quoted %-escapes

Tue, 27 Apr 2021 14:33:16 -0700 

Package: imagemagick
Version: 8:6.9.11.60+dfsg-1.3
Tags: patch, security

Dear Maintainer,
the imagemagick package has mailcap entries with quoted %-escapes. That is 
considered unsafe. Proper escaping should be left to the programs using the 
entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test 
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with 
certain mail user agents (or document openers) are the cause of a shell command 
injection vulnerability.

If you need more information let me know.

Thanks,
MNZ

diff --git a/debian/imagemagick-IMVERSION.QUANTUMDEPTH.mime.in b/debian/imagemagick-IMVERSION.QUANTUMDEPTH.mime.in
index fd035f3..418f076 100644
--- a/debian/imagemagick-IMVERSION.QUANTUMDEPTH.mime.in
+++ b/debian/imagemagick-IMVERSION.QUANTUMDEPTH.mime.in
@@ -1,42 +1,42 @@
-image/avs; display-im${IMVERSION}.${QUANTUMDEPTH}. 'avs:%s'; test=test -n "$DISPLAY"; priority=2
-image/bie; display-im${IMVERSION}.${QUANTUMDEPTH} 'jbig:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-ms-bmp; display-im${IMVERSION}.${QUANTUMDEPTH} 'bmp:%s'; test=test -n "$DISPLAY"; priority=2
-image/cmyk; display-im${IMVERSION}.${QUANTUMDEPTH} 'cmyk:%s'; test=test -n "$DISPLAY"; priority=2
-image/dcx; display-im${IMVERSION}.${QUANTUMDEPTH} 'dcx:%s'; test=test -n "$DISPLAY"; priority=2
-image/eps; display-im${IMVERSION}.${QUANTUMDEPTH} 'eps:%s'; test=test -n "$DISPLAY"; priority=2
-image/fax; display-im${IMVERSION}.${QUANTUMDEPTH} 'fax:%s'; test=test -n "$DISPLAY"; priority=2
-image/fits; display-im${IMVERSION}.${QUANTUMDEPTH} 'fits:%s'; test=test -n "$DISPLAY"; priority=2
-image/gif; display-im${IMVERSION}.${QUANTUMDEPTH} 'gif:%s'; test=test -n "$DISPLAY"; priority=2
-image/gray; display-im${IMVERSION}.${QUANTUMDEPTH} 'gray:%s'; test=test -n "$DISPLAY"; priority=2
-image/jpeg; display-im${IMVERSION}.${QUANTUMDEPTH} 'jpeg:%s'; test=test -n "$DISPLAY"; priority=2
-image/pjpeg; display-im${IMVERSION}.${QUANTUMDEPTH} 'jpeg:%s'; test=test -n "$DISPLAY"; priority=2
-image/miff; display-im${IMVERSION}.${QUANTUMDEPTH} 'miff:%s'; test=test -n "$DISPLAY"; priority=2
-image/mono; display-im${IMVERSION}.${QUANTUMDEPTH} 'mono:%s'; test=test -n "$DISPLAY"; priority=2
-image/mtv; display-im${IMVERSION}.${QUANTUMDEPTH} 'mtv:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-portable-bitmap; display-im${IMVERSION}.${QUANTUMDEPTH} 'pbm:%s'; test=test -n "$DISPLAY"; priority=2
-image/pcd; display-im${IMVERSION}.${QUANTUMDEPTH} 'pcd:%s'; test=test -n "$DISPLAY"; priority=2
-image/pcx; display-im${IMVERSION}.${QUANTUMDEPTH} 'pcx:%s'; test=test -n "$DISPLAY"; priority=2
-image/pdf; display-im${IMVERSION}.${QUANTUMDEPTH} 'pdf:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-portable-graymap; display-im${IMVERSION}.${QUANTUMDEPTH} 'pgm:%s'; test=test -n "$DISPLAY"; priority=2
-image/pict; display-im${IMVERSION}.${QUANTUMDEPTH} 'pict:%s'; test=test -n "$DISPLAY"; priority=2
-image/png; display-im${IMVERSION}.${QUANTUMDEPTH} 'png:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-portable-anymap; display-im${IMVERSION}.${QUANTUMDEPTH} 'pnm:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-portable-pixmap; display-im${IMVERSION}.${QUANTUMDEPTH} 'ppm:%s'; test=test -n "$DISPLAY"; priority=2
-image/ps; display-im${IMVERSION}.${QUANTUMDEPTH} 'ps:%s'; test=test -n "$DISPLAY"; priority=2
-image/rad; display-im${IMVERSION}.${QUANTUMDEPTH} 'rad:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-rgb; display-im${IMVERSION}.${QUANTUMDEPTH} 'rgb:%s'; test=test -n "$DISPLAY"; priority=2
-image/rgba; display-im${IMVERSION}.${QUANTUMDEPTH} 'rgba:%s'; test=test -n "$DISPLAY"; priority=2
-image/rla; display-im${IMVERSION}.${QUANTUMDEPTH} 'rla:%s'; test=test -n "$DISPLAY"; priority=2
-image/rle; display-im${IMVERSION}.${QUANTUMDEPTH} 'rle:%s'; test=test -n "$DISPLAY"; priority=2
-image/sgi; display-im${IMVERSION}.${QUANTUMDEPTH} 'sgi:%s'; test=test -n "$DISPLAY"; priority=2
-image/sun-raster; display-im${IMVERSION}.${QUANTUMDEPTH} 'sun:%s'; test=test -n "$DISPLAY"; priority=2
-image/targa; display-im${IMVERSION}.${QUANTUMDEPTH} 'tga:%s'; test=test -n "$DISPLAY"; priority=2
-image/tiff; display-im${IMVERSION}.${QUANTUMDEPTH} 'tiff:%s'; test=test -n "$DISPLAY"; priority=2
-image/uyvy; display-im${IMVERSION}.${QUANTUMDEPTH} 'uyvy:%s'; test=test -n "$DISPLAY"; priority=2
-image/vid; display-im${IMVERSION}.${QUANTUMDEPTH} 'vid:%s'; test=test -n "$DISPLAY"; priority=2
-image/viff; display-im${IMVERSION}.${QUANTUMDEPTH} 'viff:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-xbitmap; display-im${IMVERSION}.${QUANTUMDEPTH} 'xbm:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-xpixmap; display-im${IMVERSION}.${QUANTUMDEPTH} 'xpm:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-xwindowdump; display-im${IMVERSION}.${QUANTUMDEPTH} 'xwd:%s'; test=test -n "$DISPLAY"; priority=2
-image/x-icon; display-im${IMVERSION}.${QUANTUMDEPTH} 'icon:%s'; test=test -n "$DISPLAY"; priority=2
-image/yuv; display-im${IMVERSION}.${QUANTUMDEPTH} 'yuv:%s'; test=test -n "$DISPLAY"; priority=2
+image/avs; display-im${IMVERSION}.${QUANTUMDEPTH} avs:%s; test=test -n "$DISPLAY"; priority=2
+image/bie; display-im${IMVERSION}.${QUANTUMDEPTH} jbig:%s; test=test -n "$DISPLAY"; priority=2
+image/x-ms-bmp; display-im${IMVERSION}.${QUANTUMDEPTH} bmp:%s; test=test -n "$DISPLAY"; priority=2
+image/cmyk; display-im${IMVERSION}.${QUANTUMDEPTH} cmyk:%s; test=test -n "$DISPLAY"; priority=2
+image/dcx; display-im${IMVERSION}.${QUANTUMDEPTH} dcx:%s; test=test -n "$DISPLAY"; priority=2
+image/eps; display-im${IMVERSION}.${QUANTUMDEPTH} eps:%s; test=test -n "$DISPLAY"; priority=2
+image/fax; display-im${IMVERSION}.${QUANTUMDEPTH} fax:%s; test=test -n "$DISPLAY"; priority=2
+image/fits; display-im${IMVERSION}.${QUANTUMDEPTH} fits:%s; test=test -n "$DISPLAY"; priority=2
+image/gif; display-im${IMVERSION}.${QUANTUMDEPTH} gif:%s; test=test -n "$DISPLAY"; priority=2
+image/gray; display-im${IMVERSION}.${QUANTUMDEPTH} gray:%s; test=test -n "$DISPLAY"; priority=2
+image/jpeg; display-im${IMVERSION}.${QUANTUMDEPTH} jpeg:%s; test=test -n "$DISPLAY"; priority=2
+image/pjpeg; display-im${IMVERSION}.${QUANTUMDEPTH} jpeg:%s; test=test -n "$DISPLAY"; priority=2
+image/miff; display-im${IMVERSION}.${QUANTUMDEPTH} miff:%s; test=test -n "$DISPLAY"; priority=2
+image/mono; display-im${IMVERSION}.${QUANTUMDEPTH} mono:%s; test=test -n "$DISPLAY"; priority=2
+image/mtv; display-im${IMVERSION}.${QUANTUMDEPTH} mtv:%s; test=test -n "$DISPLAY"; priority=2
+image/x-portable-bitmap; display-im${IMVERSION}.${QUANTUMDEPTH} pbm:%s; test=test -n "$DISPLAY"; priority=2
+image/pcd; display-im${IMVERSION}.${QUANTUMDEPTH} pcd:%s; test=test -n "$DISPLAY"; priority=2
+image/pcx; display-im${IMVERSION}.${QUANTUMDEPTH} pcx:%s; test=test -n "$DISPLAY"; priority=2
+image/pdf; display-im${IMVERSION}.${QUANTUMDEPTH} pdf:%s; test=test -n "$DISPLAY"; priority=2
+image/x-portable-graymap; display-im${IMVERSION}.${QUANTUMDEPTH} pgm:%s; test=test -n "$DISPLAY"; priority=2
+image/pict; display-im${IMVERSION}.${QUANTUMDEPTH} pict:%s; test=test -n "$DISPLAY"; priority=2
+image/png; display-im${IMVERSION}.${QUANTUMDEPTH} png:%s; test=test -n "$DISPLAY"; priority=2
+image/x-portable-anymap; display-im${IMVERSION}.${QUANTUMDEPTH} pnm:%s; test=test -n "$DISPLAY"; priority=2
+image/x-portable-pixmap; display-im${IMVERSION}.${QUANTUMDEPTH} ppm:%s; test=test -n "$DISPLAY"; priority=2
+image/ps; display-im${IMVERSION}.${QUANTUMDEPTH} ps:%s; test=test -n "$DISPLAY"; priority=2
+image/rad; display-im${IMVERSION}.${QUANTUMDEPTH} rad:%s; test=test -n "$DISPLAY"; priority=2
+image/x-rgb; display-im${IMVERSION}.${QUANTUMDEPTH} rgb:%s; test=test -n "$DISPLAY"; priority=2
+image/rgba; display-im${IMVERSION}.${QUANTUMDEPTH} rgba:%s; test=test -n "$DISPLAY"; priority=2
+image/rla; display-im${IMVERSION}.${QUANTUMDEPTH} rla:%s; test=test -n "$DISPLAY"; priority=2
+image/rle; display-im${IMVERSION}.${QUANTUMDEPTH} rle:%s; test=test -n "$DISPLAY"; priority=2
+image/sgi; display-im${IMVERSION}.${QUANTUMDEPTH} sgi:%s; test=test -n "$DISPLAY"; priority=2
+image/sun-raster; display-im${IMVERSION}.${QUANTUMDEPTH} sun:%s; test=test -n "$DISPLAY"; priority=2
+image/targa; display-im${IMVERSION}.${QUANTUMDEPTH} tga:%s; test=test -n "$DISPLAY"; priority=2
+image/tiff; display-im${IMVERSION}.${QUANTUMDEPTH} tiff:%s; test=test -n "$DISPLAY"; priority=2
+image/uyvy; display-im${IMVERSION}.${QUANTUMDEPTH} uyvy:%s; test=test -n "$DISPLAY"; priority=2
+image/vid; display-im${IMVERSION}.${QUANTUMDEPTH} vid:%s; test=test -n "$DISPLAY"; priority=2
+image/viff; display-im${IMVERSION}.${QUANTUMDEPTH} viff:%s; test=test -n "$DISPLAY"; priority=2
+image/x-xbitmap; display-im${IMVERSION}.${QUANTUMDEPTH} xbm:%s; test=test -n "$DISPLAY"; priority=2
+image/x-xpixmap; display-im${IMVERSION}.${QUANTUMDEPTH} xpm:%s; test=test -n "$DISPLAY"; priority=2
+image/x-xwindowdump; display-im${IMVERSION}.${QUANTUMDEPTH} xwd:%s; test=test -n "$DISPLAY"; priority=2
+image/x-icon; display-im${IMVERSION}.${QUANTUMDEPTH} icon:%s; test=test -n "$DISPLAY"; priority=2
+image/yuv; display-im${IMVERSION}.${QUANTUMDEPTH} yuv:%s; test=test -n "$DISPLAY"; priority=2

Reply via email to