Package: general
Severity: grave
Tags: security
Justification: user security hole
Affects: mutt
The /etc/mailcap file contains many rules with '%s' instead of %s,
for instance:
text/*; less '%s'; needsterminal
audio/ogg; ogginfo '%s'; copiousoutput
This is incorrect. For instance, Mutt quotes the filename, so that
it generates command lines like
less ''filename''
as seen in strace output:
execve("/home/vinc17/bin/sh.screen", ["sh", "-c", "less ''/var/tmp/_.txt''"],
0x564ffe666f40 /* 132 vars */) = 0
i.e. the filename is eventually not quoted!
Here the filename is sanitized, but I'm not sure that this is always
the case (there's a mailcap_sanitize option that can be set to "no",
even though this is strongly discouraged). And Mutt wouldn't need to
quote the filename if this were ensured; anyway, one of its security
features (quoting the filename, just in case) is broken by these
incorrect mailcap rules. Other programs might also strongly rely on
correct rules.
-- System Information:
Debian Release: 10.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
