Your message dated Wed, 14 Dec 2022 10:54:34 +0000 with message-id <e1p5ppg-006ry2...@fasolo.debian.org> and subject line Bug#972146: fixed in mono 6.8.0.105+dfsg-3.3 has caused the Debian Bug report #972146, regarding /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 972146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972146 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mono-runtime-common Version: 6.8.0.105+dfsg-3 Severity: important File: /usr/share/applications/mono-runtime-common.desktop Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> /usr/share/applications/mono-runtime-common.desktop and /usr/share/applications/mono-runtime-terminal.desktop are registered as freedesktop.org MIME handlers for the application/x-ms-dos-executable MIME type. They run the executable under mono(1) without any further prompting. This means that doing normal "open a document" actions will result in arbitrary code execution with normal user privileges: - follow a web link to a downloadable file and accept the browser's offer to open it (mitigation: the user is prompted, and major browsers might special-case application/x-ms-dos-executable as particularly dangerous) - follow a file:/// link in a non-web format that allows links, such as PDF - open an email attachment - xdg-desktop-portal forwarding an "open file" action from a Flatpak app (mitigation: this one involves user action to confirm which app should be used to open the file) I don't think this is *necessarily* a security vulnerability, as such (everything is doing what it is designed to do), but in 2020 it seems deeply inadvisable. In particular, web browsers, email clients, and sandboxed app frameworks like Flatpak and Snap, which are not generally aware of the specifics of particular MIME types, have little choice but to assume that opening a file is not normally arbitrary code execution. The analogous MIME handling in Wine was removed in 2013 (<https://bugs.debian.org/327262>). I would expect that Mono would either not handle application/x-ms-dos-executable, or handle it with an application that shows a "this is probably dangerous, are you sure?" prompt first (like Wine used to do). I would personally prefer it to not handle application/x-ms-dos-executable at all, due to <https://en.wikipedia.org/wiki/Dancing_pigs>. This was brought to my attention by a commit in GNOME's evince PDF viewer which removes its "launch action" feature (part of the PDF spec, but in practice mostly used by Windows malware) as a form of security hardening. See <https://gitlab.gnome.org/GNOME/evince/-/issues/1333> (I'm preparing an upload with the change referenced there), which uses mono in its proof-of-concept. Mitigation: GNOME users will find that org.gnome.FileRoller.desktop is a preferred handler for application/x-ms-dos-executable. It isn't clear to me how useful this really is (opening an executable as a zip-like archive with "filenames" like .text and .bss seems more like a proof-of-concept than something people would genuinely use) but at least it's harmless. MATE's equivalent (fork?) of file-roller, engrampa, does the same. Another mitigation: I was surprised to find that gnome-games-app also associates itself with application/x-ms-dos-executable, alongside lots of ROM formats (presumably so it can offer to run them in a sandbox environment with Dosbox). This is hopefully OK, because gnome-games-app hopefully has a lot more prompting and sandboxing than a general-purpose program interpreter. smcv
--- End Message ---
--- Begin Message ---Source: mono Source-Version: 6.8.0.105+dfsg-3.3 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of mono, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 972...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated mono package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 09 Dec 2022 14:33:03 +0100 Source: mono Architecture: source Version: 6.8.0.105+dfsg-3.3 Distribution: unstable Urgency: medium Maintainer: Debian Mono Group <pkg-mono-gr...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 972146 Changes: mono (6.8.0.105+dfsg-3.3) unstable; urgency=medium . * Non-maintainer upload. * Revert "Added desktop file for mono with and without a terminal window" (Closes: #972146) Checksums-Sha1: a6328f64e65334e8efe493449680434b23e9d8dc 19796 mono_6.8.0.105+dfsg-3.3.dsc c8cf23f89c835a3defa9fd1652bc733eae9efe79 136532 mono_6.8.0.105+dfsg-3.3.debian.tar.xz 1faf68312140181825c77a857369e2c884dd7678 4830 mono_6.8.0.105+dfsg-3.3_source.buildinfo Checksums-Sha256: 691db0a4657222707277448467e33f05f19fa8eb80bb91113828187cc6e2d544 19796 mono_6.8.0.105+dfsg-3.3.dsc 0d62c1d1ef2f0b00420d41b0a30db6dd172f3f6bdd6cfc8a8abe8bff6a5d5fc8 136532 mono_6.8.0.105+dfsg-3.3.debian.tar.xz a244550c997733965abe6499a3f0bce52926e134ca0b60b12340e052b3f72248 4830 mono_6.8.0.105+dfsg-3.3_source.buildinfo Files: 300c8a5c48320caa038d5ef742f6a8e5 19796 cli-mono optional mono_6.8.0.105+dfsg-3.3.dsc 154fbda976a4c7a362336030aed8ba4e 136532 cli-mono optional mono_6.8.0.105+dfsg-3.3.debian.tar.xz 8c31bf51e44371e238f854abc5b4c97c 4830 cli-mono optional mono_6.8.0.105+dfsg-3.3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOTPzxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOTIQAJQsDM0YnWyE+20EYCHxtnHOOvPrZ7MR rkhiz6blBSwCEed0voCR8el31O4lypX68hCzLG+izBDE98n6kzgspjMMa8hQzJi+ VnQOByWWLpnGleBA/JRpmC4BEkEn4yGJ3jmFgoIpE19dMqC+VplGZY/Ot8briBrY KTJOnsg1/KTy8FfSzDdo7krpNhNGQ1zk262/uOQoIwSSBAjX72tEIrzCFe1SyqgV p39zjIArnCEI501f5e62YFHLVuBuqG+02EdDSS2m0OCmAFZXy0PKtLqVmjhlm3D8 YhKFikkxXAOXqw/QVS5fb4JSLAVE32v8gCd6Cxk7moJJvEV4wkTcpc1anOdytY2B S2YfypcjvjXk7FHKzmFLTWLIAPyFYXqdvJ+p7GxXt+Fvajxq/8O22dTWi6DyZ9IC c+GwK1PSUvPH/7/UCSmN7lz3dyxHSaDxqZnN2Z2f7CstGffO3++Cop5+RAIaVszd OSQnwWctfkumjqJuQnAXU9ntREFcFTSwgXYqPcer55HPPRPbclkI7niEo3Xtg5UL wDnJPCi/6Go7pQzF26WZy1K60vzkgzcYOnp3GBFWdmPO0jLNSOQYuhDotH9wTX0p w18cehFjVviBmNaj1IqDPMX2Ucg6bUTop0WP2JUSHZLHmFpwk8TBSAlkqZaFZ79+ esaOmULWu+pl =84G1 -----END PGP SIGNATURE-----
--- End Message ---
