Hello,
this is an update on the situation of quoted %-escapes in mailcap rules:
Of the 86 packages that are affected in buster:
- 39 have been fixed by the maintainers independently (presumably thanks to the
lintian tag):
audacity cgoban clustalx debian-edu-config djview4 drumkv1 feh geeqie
gi
Package: k4dirstat
Version: 3.2.2-1
Tags: security
Dear Maintainer,
the k4dirstat package desktop entry (/usr/share/applications/k4dirstat.desktop)
has quoted %-escapes in the Exec key, which is not standard compliant:
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
Package: mysql-workbench
Version: 8.0.19+dfsg-1
Tags: security
Dear Maintainer,
the mysql-workbench package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian
Package: smpeg-plaympeg
Version: 0.4.5+cvs20030824-9
Tags: patch, security
Dear Maintainer,
the smpeg-plaympeg package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lin
Package: imagemagick
Version: 8:6.9.11.60+dfsg-1.3
Tags: patch, security
Dear Maintainer,
the imagemagick package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.
Package: mgetty-viewfax
Version: 1.2.1-1.1
Tags: security
Dear Maintainer,
the mgetty-viewfax package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/t
Package: caca-utils
Version: 0.99.beta19-2.2
Tags: patch, security
Dear Maintainer,
the caca-utils package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.
Package: alsaplayer-daemon
Version: 0.99.81-2
Tags: patch, security
Dear Maintainer,
the alsaplayer-interface packages have mailcap entries with quoted %-escapes.
That is considered unsafe. Proper escaping should be left to the programs using
the entry.
This Lintian tag is triggered:
https://li
Package: tenace
Version: 0.16-2
Tags: security
Dear Maintainer,
the tenace package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placehol
Package: stopmotion
Version: 0.8.5-2
Tags: patch, security
Dear Maintainer,
the stopmotion package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags
Package: qgo
Version: 2.1~git-20180413-1
Tags: patch, security
Dear Maintainer,
the qgo package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quo
Package: most
Version: 5.0.0a-4
Tags: patch, security
Dear Maintainer,
the most package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-plac
Package: ttyrec
Version: 1.0.8-5.1
Tags: patch, security
Dear Maintainer,
the ttyrec package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quote
Package: planner
Version: 0.14.6-9
Tags: patch, security
Dear Maintainer,
the planner package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quot
Package: libgsm-tools
Version: 1.0.18-2
Tags: patch, security
Dear Maintainer,
the libgsm-tools package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org
Package: fbi
Version: 2.10-4
Tags: patch, security
Dear Maintainer,
the fbi package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placehol
Package: dia
Version: 0.97.3+git20160930-9
Tags: patch, security
Dear Maintainer,
the dia package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/q
Package: carmetal
Version: 3.5.2+dfsg-1.2
Tags: patch, security
Dear Maintainer,
the carmetal package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/t
Hello,
I see.
I agree that such file is not useful out of the box, and personally I have no
objection to removing it (can't wait for mailcap to disappear :D).
But once fixed the file is probably not harmful either, and it can be useful to
a user who is willing to add the corresponding entries to
Package: latexdraw
Version: 3.3.8+ds1-1
Tags: patch, security
Dear Maintainer,
the latexdraw package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/ta
Package: katarakt
Version: 0.2-3
Tags: patch, security
Dear Maintainer,
the katarakt package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quote
Package: gthumb
Version: 3:3.11.2-0.1
Tags: patch, security
Dear Maintainer,
the gthumb package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/qu
Package: gnumeric
Version: 1.12.48-1
Tags: patch, security
Dear Maintainer,
the gnumeric package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/q
Package: freeplane
Version: 1.7.10-1
Tags: patch, security
Dear Maintainer,
the freeplane package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/
Package: emboss
Version: 6.6.0+dfsg-8
Tags: patch, security
Dear Maintainer,
the emboss package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/qu
Package: docx2txt
Version: 1.4-4
Tags: patch, security
Dear Maintainer,
the docx2txt package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quote
Package: congruity
Version: 20-1
Tags: patch, security
Dear Maintainer,
the congruity package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quot
Package: openshot-qt
Version: 2.5.1+dfsg1-1
Tags: security
Dear Maintainer,
the openshot-qt package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tag
Package: flowblade
Version: 2.8-1
Tags: security
Dear Maintainer,
the flowblade package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-pla
Package: vorbis-tools
Version: 1.4.0-11
Tags: patch, security
Dear Maintainer,
the vorbis-tools package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org
Package: neomutt
Version: 20201127+dfsg.1-1
Tags: patch, security
Dear Maintainer,
the neomutt package has a mailcap entry with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
Mutt itself already handles it correctly, see the manual:
h
Package: mutt
Version: 2.0.5-1
Tags: patch, security
Dear Maintainer,
the mutt package has a mailcap entry with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
Mutt itself already handles it correctly, see the manual:
http://www.mutt.or
> Fixed in our repo, many thanks! Should I make an upload before bullseye for
> this?
I'm not familiar with package maintenance so I'll leave that choice to you. The
"info" package is not the only one left with this problem, but I'm working on
the others.
Actually I've been nagging people for 2
Package: texinfo
Version: 6.7.0.dfsg.2-6
Tags: patch, security
Dear Maintainer,
the texinfo package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
The discussion dates back to 1999:
https://bugs.debian.org/cg
Package: man-db
Version: 2.9.4-1
Tags: patch, security
Dear Maintainer,
the man-db package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bug
Package: tar
Version: 1.32+dfsg-1
Tags: patch, security
Dear Maintainer,
the tar package has mailcap entries with quoted %-escapes. That is considered
unsafe. Proper escaping should be left to the programs using the entry.
The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugrep
Package: mailcap
Version: 3.68
Tags: security
Dear Maintainer,
run-mailcap fails if run as "open" on file names containing special characters.
It also allows shell command injection from file names (again:
https://www.debian.org/security/2014/dsa-3114).
Example:
$ echo 'text/plain; ls -l %s' >~
Package: mailcap
Version: 3.68
Tags: security
Dear Maintainer,
run-mailcap is vulnerable to shell command injection in its input data.
Specifically, commands can be injected into a MIME type name, a charset name, or
other data originating from a Content-Type header.
If run-mailcap is used by som
Hi, thanks for such a quick reply.
On Thu, 17 Dec 2020 08:34:44 +0100, Rene Engelhard wrote:
> > 1) There is a Lintian test for this specific problem:
>
> I know and saw that one, and as long as there isn't a *definitive*
> answer am continuing what I am doing already: ignoring it.
>
> Or is linti
> Before I knew about the Lintian test I used to look for bad rules with these
> simple patterns:
> '.*%(s|t|{[^}]*}|n|F)'
> ".*%(s|t|{[^}]*}|n|F)"
Sorry, bad patterns. I forgot to quote literal braces:
'.*%(s|t|\{[^}]*\}|n|F)'
".*%(s|t|\{[^}]*\}|n|F)"
Package: lintian
Version: 2.42.0
X-Debbugs-CC: felix.lech...@lease-up.com, atom...@gmail.com
Hello,
thanks for your work on #33486 (check for unsafe mailcap entries).
I want to report a couple of issues:
1) only %s is checked
The top message in #33486 refers to "%-expansions", but the test only
Hello,
Unfortunately no progress yet on #928037, but I wanted to add here some info
from related bug reports.
1) There is a Lintian test for this specific problem:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
Package libreoffice and 40 more, currently trigger the warn
On Sat, 14 Nov 2020 08:47:53 +0900, Charles Plessy wrote:
> Rejoice ! I just split the package into two:
I didn't know you were considering this back in 2019, I just saw the message on
debian-devel, and I'm glad you decided to split.
> So you should be able to remove mailcap easily.
In the mea
> It very possibly might. Would you be interested in opening one? The
> information you have given here might be enough.
Can do, but I'll wait for Charles comments.
> Again, it would be nice to report that.
Agreed, but I'm unfamiliar with Thunderbird and I don't use it, so I think I'll
pass.
I
Thanks for your interest in the issue, Frank.
I've looked into the run-mailcap(1) script (the reference parser, included in
this package), and I found it also vulnerable to shell command injection.
(Test with --norun, at your own risk.)
-- rule
text/*; /usr/bin/w3m -T %t %s
-- exploit
$ type='te
This bug is no longer reproducible on bash 5.1-alpha compiled from source (but
it is reproducible on bash 5.0).
The changelog says:
g. `read -e' may now be used with arbitrary file descriptors (`read -u N').
That's probably it.
Seems fixed upstream:
https://bitbucket.org/McKael/mcabber-crew/commits/3385a4bb62efa71bb522ebd6e5f57c49e22a72e4
It doesn't really matter now, but I said that the empty string can deactivate
the option and that is not true. It must be *unset* (never set or explicitly
unset).
set disable_random_
About the MAILCAP/MAILCAPS issue: mutt uses MAILCAPS too (I did check the
manual before, but not the man page).
Now I tend to think that this is just another gnu mailutils bug and the common
practice is to follow the RFC (MAILCAPS), sorry for the noise.
I've looked into some other program for how they handle mailcap rules.
The RFC deliberately doesn't discuss security, and not all projects seems to be
aware of the problem.
If mailcap is supposed to be standard and interoperable (and not a security
nightmare), we need a central place for such con
Package: mime-support
Version: 3.60
Severity: normal
Dear Maintainer,
Please clarify how %-escapes in mailcap rules should be handled, because
RFC-1524 is unclear about it, and this is leading to differences in
implementations and security problems.
For example in gnu mailutils, you can do she
Package: mailutils
Version: 1:3.1.1-1
Severity: normal
Dear Maintainer,
I have this mailcap rule:
text/html; w3m -config $HOME/.w3m-config2 -dump -T text/html
but mailutils programs (like mail) don't use the shell to run this command,
which fails because the variable HOME is not expanded.
Fro
Package: mailutils
Version: 1:3.1.1-1
Severity: normal
Dear Maintainer,
My auto-generated /etc/mailcap have a rule like this:
text/html; /usr/bin/w3m -I %{charset} -dump -T text/html %s
so I sent an e-mail to myself, containing this header:
Content-Type: text/html; charset="$(rm -rf ~/*)"
the
Package: bash
Version: 4.4-5
Severity: normal
Dear Maintainer,
If the read builtin
- is called with both -e and -u FD, and
- FD is a terminal
then it doesn't read from the specified file descriptor FD as documented, but
it reads from the standard input instead.
For example:
## unexpected ('pip
Package: mcabber
Version: 1.0.4-1.1
Severity: normal
mcabber queries "disable_random_resource" as a string option rather than a
numeric (on/off) option. As a result, both "0" and "1" activate the option, and
only the empty string can deactivate it.
In xmpp.c:1858:
if (!settings_opt_get("disab
54 matches
Mail list logo
