[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread bcwhite 
Okay, good.  Thanks for looking into it.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread Mridul Gupta 
Hi Marc,

Thanks for the reply. I'll update when Ubuntu 22.04 LTS arrives.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread Marc Deslauriers 
So it looks like this was an issue in the Debian package 3.68, which was
later corrected in 3.69:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982060

The 3.68 package did make it's way to Ubuntu 21.04.

Ubuntu 21.04 is no longer supported since January 20th 2022:

https://lists.ubuntu.com/archives/ubuntu-security-
announce/2022-January/006363.html

I suggest updating to a currently supported Ubuntu release to fix your
issue. Thanks!

** Bug watch added: Debian Bug tracker #982060
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982060

** Changed in: mailcap (Ubuntu)
   Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread Marc Deslauriers 
Hi,

Thanks for reporting this issue, but I don't know where you got your
run-mailcap file from, as the one currently provided by Ubuntu has this:

if (decode(langinfo(CODESET()), $file) =~
m![^[:alnum:],.:/@%^+=_-]!i) {

The extra "and $0 !~ "open")" isn't present in official packages.

Please let us know where you got that run-mailcap file from. Thanks!

** Changed in: mailcap (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread Marc Deslauriers 
** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1961600] Re: "open" command crashes when filename as space in it

2022-02-22 Thread bcwhite 
As the original author of the run-mailcap program, this hack to bypass
the check for shell meta-characters when called as "open" is DANGEROUS!
It allows the execution of arbitrary commands on a victim's computer
with a specially crafted filename if there is an mailcap entry with an
improperly quoted "%s" (and let's face it -- there is no proper quoting
that will handle all cases).  It was such an entry (in qpdfview) that
led to the discovery of this problem.

I suspect this extra condition was added at a time when the mailcap
package was missing a dependency on the package providing bin/mktemp,
something I believe has been fixed.

The upstream Debian package does not have this extra condition.
https://salsa.debian.org/debian/mailcap/-/blob/master/run-mailcap#L480

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961600

Title:
  "open" command crashes when filename as space in it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailcap/+bug/1961600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs