Package: neomutt Version: 20201127+dfsg.1-1 Tags: patch, security Dear Maintainer, the neomutt package has a mailcap entry with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry. Mutt itself already handles it correctly, see the manual: http://www.mutt.org/doc/manual/#secure-mailcap
The discussion dates back to 1999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486 resulting in this Lintian tag (triggered by neomutt): https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 S-nail also agrees: https://www.sdaoden.eu/code-nail.html#37 If a certain combination of mail user agent (or document opener) and mailcap rule is used, you can own a machine just by making the user open a malicious email, or a file with a malicious name. RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30 years of bad security around mailcap, but you can see it from the examples: https://tools.ietf.org/html/rfc1524#page-11 If you need more information let me know. Thanks, MNZ
diff --git a/debian/neomutt.mime b/debian/neomutt.mime index c32cf32..6ffa583 100644 --- a/debian/neomutt.mime +++ b/debian/neomutt.mime @@ -1 +1 @@ -message/rfc822; neomutt -Rf '%s'; edit=neomutt -f '%s'; needsterminal +message/rfc822; neomutt -Rf %s; edit=neomutt -f %s; needsterminal
