Your message dated Sat, 13 Feb 2021 19:33:28 +0000
with message-id <[email protected]>
and subject line Bug#982680: fixed in mutt 2.0.5-2
has caused the Debian Bug report #982680,
regarding mutt has mailcap entries with quoted %-escapes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mutt
Version: 2.0.5-1
Tags: patch, security
Dear Maintainer,
the mutt package has a mailcap entry with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
Mutt itself already handles it correctly, see the manual:
http://www.mutt.org/doc/manual/#secure-mailcap
The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
resulting in this Lintian tag (triggered by mutt):
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
S-nail also agrees:
https://www.sdaoden.eu/code-nail.html#37
If a certain combination of mail user agent (or document opener) and mailcap
rule is used, you can own a machine just by making the user open a malicious
email, or a file with a malicious name.
RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30
years of bad security around mailcap, but you can see it from the examples:
https://tools.ietf.org/html/rfc1524#page-11
If you need more information let me know.
Thanks,
MNZ
diff --git a/debian/mutt.mime b/debian/mutt.mime
index 79f40a4..af3f520 100644
--- a/debian/mutt.mime
+++ b/debian/mutt.mime
@@ -1 +1 @@
-message/rfc822; mutt -Rf '%s'; edit=mutt -f '%s'; needsterminal
+message/rfc822; mutt -Rf %s; edit=mutt -f %s; needsterminal
--- End Message ---
--- Begin Message ---
Source: mutt
Source-Version: 2.0.5-2
Done: Antonio Radici <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Radici <[email protected]> (supplier of updated mutt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 13 Feb 2021 20:05:26 +0100
Source: mutt
Architecture: source
Version: 2.0.5-2
Distribution: unstable
Urgency: medium
Maintainer: Mutt maintainers <[email protected]>
Changed-By: Antonio Radici <[email protected]>
Closes: 627134 982680
Changes:
mutt (2.0.5-2) unstable; urgency=medium
.
* debian/mutt.mime:
+ removed mutt as viewer for message/rfc822, changed that
to application/mbox (Closes: 627134).
+ removed quotes in the mime entry, as it is unsafe (Closes: 982680).
Checksums-Sha1:
24e1dd7f0df2296df27d0256b658b742ad35a7ad 2307 mutt_2.0.5-2.dsc
6d34e21ca19ef2f735d7335afb6aaf2d382094b7 60612 mutt_2.0.5-2.debian.tar.xz
d0769d2b6295a2876c0487534bf32ae9b26c387a 7968 mutt_2.0.5-2_amd64.buildinfo
Checksums-Sha256:
f91c294516c1ace69af581dc5c0f740e646393806f2c0f3c86b017e52d65beaa 2307
mutt_2.0.5-2.dsc
5044b03a989578460bc668239a7df141b924912841791881784cc4a9a918e02e 60612
mutt_2.0.5-2.debian.tar.xz
0a25db81b02dd9aa633ed9f321d4b452ddd006a2173f06647aadabf0ccdefedb 7968
mutt_2.0.5-2_amd64.buildinfo
Files:
4694ebf1cccc85e7c84a55b017671a80 2307 mail optional mutt_2.0.5-2.dsc
73505308fc6467022367ad7ad66f2e1b 60612 mail optional mutt_2.0.5-2.debian.tar.xz
2979e54fd1c40064df2d3d08e652c3bb 7968 mail optional
mutt_2.0.5-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAmAoJbETHGFudG9uaW9A
ZGViaWFuLm9yZwAKCRA1yMiIcsse7U4sD/oDdCmg+MJBDBrD5R17SgYgNoqIsAld
smmw6ubOLCVAdk3YGwpCWEbFe8g8fABHYPnFfsTf9HKKYMYNA21snIMW/45dHMp7
kJMLGhVlmeSU1P2kWGIMYWYa50YCH/tiLB18iSI4A7jLSy7dPNUoxiT9aP9CAlzZ
Zj4NODPiLwyydPWHaMBT231khB78Cca2FomRQxFJD3/mU+5IsfYmLkK0X6m8LQmg
0u+Eply0dyvZo+spwUVMUdwaYn9g/XKCkElfLZQkWpZ25yeaYYbbiXPYejYv60x7
+p8MeITeA6BQVayJjxW5U97Wq/600fjjMorLb3S8JI1B+xC7czcajwmI3eX6Bz5x
Ryiiebz5QcbsWdP1BfB+FeYNiRkuZO4JMyXceqX+yEfIZEHaM/myvEZ/iK/vuqDQ
Vky/fD5R72UdnXfinEosN2wOEbmUczhqzPMKBwI5HxZC2EI8REDtZDmy1OzT12Vb
C3rKDGGLn5ZVzrLadDZQ7QWwXXOyKF27Fx3HiFLvwRXkqRms3l4GZcNks7SzUkN7
BnX2ZI1692Fiy73xCjLq8U1RfN7A/hUj34iHQyF894WoQT6adgNHiwNRX5/6SIoH
d3fVL+oirWZ0HqkoP/mM1wHvRXGt0eZL1bZGOX7AaVlbjQ6y+WgjK+CBt913tis3
GKcVhey05e5D8A==
=tr82
-----END PGP SIGNATURE-----
--- End Message ---
