Package: mailcap Version: 3.68 Tags: security Dear Maintainer,
run-mailcap fails if run as "open" on file names containing special characters. It also allows shell command injection from file names (again: https://www.debian.org/security/2014/dsa-3114). Example: $ echo 'text/plain; ls -l %s' >~/.mailcap $ file='foo bar.txt' $ touch "$file" $ run-mailcap "$file" # ok lrwxrwxrwx 1 mnz mnz 21 Feb 5 04:40 /tmp/tmp.34oUM9lQ1a -> '/home/mnz/foo bar.txt' $ open "$file" # broken ls: cannot access '/home/mnz/foo': No such file or directory ls: cannot access 'bar.txt': No such file or directory Warning: program returned non-zero exit code #512 $ file='$(rm -fr *).txt' $ touch "$file" $ run-mailcap "$file" # ok (the 'rm' is not executed) lrwxrwxrwx 1 mnz mnz 25 Feb 5 04:43 /tmp/tmp.LkHbZAUlGQ -> '/home/mnz/$(rm -fr *).txt' $ open "$file" # successful injection (the 'rm' is executed) ls: cannot access '/home/mnz/.txt': No such file or directory Warning: program returned non-zero exit code #512 -- The problem originates from this commit: https://salsa.debian.org/debian/mailcap/-/commit/66f82f13d86d565ebe249a8b56da8dd0cb63e2ef > Prevent run-mailcap from creating a temporary copy when run as "open". It's not a temporary copy but a temporary symlink. The TempFile function is only used to generate a name for the link. Currently run-mailcap makes temporary copies only when decompressing or reading from standard input. The man page is giving false information, please fix this too: SECURITY A temporary copy of the file is opened if the file name matches the Perl regular expression "[^[:alnum:],.:/@%^+=_-]", in order to protect from the injection of shell commands, and to make sure that the name can always be displayed in the current locale. An alternative to making a temporary symlink would be to properly quote special characters in the file name (as described here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980345). Thanks, MNZ
