Package: man-db Version: 2.9.4-1 Tags: patch, security Dear Maintainer, the man-db package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
The discussion dates back to 1999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486 resulting in this Lintian tag (triggered by man-db): https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 Mutt and s-nail also agree: http://www.mutt.org/doc/manual/#secure-mailcap https://www.sdaoden.eu/code-nail.html#37 If you think this is not important because mailcap is old and in the process to be replaced with something better, believe me I wish for it to be gone as soon as possible. The problem is that we are still stuck with it: 1) the mime-support package has an install base of 99.36% (popcon), and there's no way to disable auto generation of /etc/mailcap, so everyone has the rules; 2) some popular and useful mailcap-aware programs still exist, but even if you wanted to avoid them there's no easy way for the user to be sure of doing so; 3) if a certain combination of mail user agent (or document opener) and mailcap rule is used, you can own a machine just by making the user open a malicious email, or a file with a malicious name. RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30 years of bad security around mailcap, but you can see it from the examples: https://tools.ietf.org/html/rfc1524#page-11 If you need more information let me know. Thanks, MNZ
diff --git a/debian/mime b/debian/mime index 3168d4a..7da0245 100644 --- a/debian/mime +++ b/debian/mime @@ -19,15 +19,15 @@ # "test -e gxditview" because it's in the "groff" package which is # only a Suggests of man-db and so may not be available. -application/x-troff-man; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6 -text/troff; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6 -application/x-troff-man; /usr/bin/man -l '%s'; needsterminal; description=Man page; priority=6 -text/troff; /usr/bin/man -l '%s'; needsterminal; description=Man page; priority=6 +application/x-troff-man; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6 +text/troff; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page; priority=6 +application/x-troff-man; /usr/bin/man -l %s; needsterminal; description=Man page; priority=6 +text/troff; /usr/bin/man -l %s; needsterminal; description=Man page; priority=6 # "-Tascii" gives backspace overstriking, so use "col -b" to undo # that. Piping to col also means "man" has a non-tty output and so # does not run its usual "more" etc pager, ensuring this entry is # non-interactive. # -application/x-troff-man; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page; priority=2 -text/troff; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page; priority=2 +application/x-troff-man; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page; priority=2 +text/troff; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page; priority=2