Package: tar Version: 1.32+dfsg-1 Tags: patch, security Dear Maintainer, the tar package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
The discussion dates back to 1999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486 resulting in this Lintian tag (triggered by tar): https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 Mutt and s-nail also agree: http://www.mutt.org/doc/manual/#secure-mailcap https://www.sdaoden.eu/code-nail.html#37 If you think this is not important because mailcap is old and in the process to be replaced with something better, believe me I wish for it to be gone as soon as possible. The problem is that we are still stuck with it: 1) the mime-support package has an install base of 99.36% (popcon), and there's no way to disable auto generation of /etc/mailcap, so everyone has the rules; 2) some popular and useful mailcap-aware programs still exists, but even if you wanted to avoid them there's no easy way for the user to be sure of doing so; 3) if a certain combination of mail user agent (or document opener) and mailcap rule is used, you can own a machine just by making the user open a malicious email, or a file with a malicious name. RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30 years of bad security around mailcap, but you can see it from the examples: https://tools.ietf.org/html/rfc1524#page-11 If you need more information let me know. Thanks, MNZ
diff --git a/debian/tar.mime b/debian/tar.mime index 41929b4..485c173 100644 --- a/debian/tar.mime +++ b/debian/tar.mime @@ -1,3 +1,3 @@ -application/x-tar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1 -application/x-gtar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1 -application/x-ustar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1 +application/x-tar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1 +application/x-gtar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1 +application/x-ustar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput ; priority=1
