Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi Gabriel, On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote: > Hi! > > > A while has passed, and have now proposed the same change for bullseye > > as well, cf. #1031527. > > Great! > > > There is no CVE assigned, if you feel strong about it, can you try to > > get one allocated

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote: > I believe obtaining a CVE ID would be beneficial so that this issue may be > tracked by downstream projects/distributions. All those distros were notified via your post to oss-security. You can try cveform, if there's no assignment

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi! > A while has passed, and have now proposed the same change for bullseye > as well, cf. #1031527. Great! There is no CVE assigned, if you feel strong about it, can you try to get one allocated by MITRE via the cveform? I think we won't go trough the needed workflow to assign a Debian

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi Gabriel, On Thu, Feb 16, 2023 at 11:37:57PM +0100, Gabriel Corona wrote: > Hi, > > Thanks for the patch! Thanks for staying on top of the issue! > > This has been fixed in Debian testing and sid. However, stable is still > affected. I believe it would make sense to port the patch to stable

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi, Thanks for the patch! This has been fixed in Debian testing and sid. However, stable is still affected. I believe it would make sense to port the patch to stable and allocate a CVE for this. Regards, Gabriel

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

As a workaround, you should be able to disable this feature (and have the fix persist after a package update) with something like: mkdir -p /usr/local/share/applications cp /usr/share/applications/mono-runtime-*.desktop /usr/local/share/applications sed -i 's/^Exec=.*/Exec=false/'

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi, Any help needed for this? Regards, Gabriel

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi Monio Maintainers, On Tue, May 04, 2021 at 10:30:57PM +0200, Gabriel Corona wrote: > Hi, > > Any update on this? This is actually very dangerous. > > $ xdg-open hello.exe > Hello World! > $ cp hello.exe hello.ΡDF # <- actually not a P but a uppercase rho > $ xdg-open hello.PDF > Hello World!

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Hi, Any update on this? This is actually very dangerous. $ xdg-open hello.exe Hello World! $ cp hello.exe hello.ΡDF # <- actually not a P but a uppercase rho $ xdg-open hello.PDF Hello World! Gabriel

Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Package: mono-runtime-common Version: 6.8.0.105+dfsg-3 Severity: important File: /usr/share/applications/mono-runtime-common.desktop Tags: security X-Debbugs-Cc: Debian Security Team /usr/share/applications/mono-runtime-common.desktop and /usr/share/applications/mono-runtime-terminal.desktop are