Package: general Severity: grave Tags: security Justification: user security hole Affects: mutt
The /etc/mailcap file contains many rules with '%s' instead of %s, for instance: text/*; less '%s'; needsterminal audio/ogg; ogginfo '%s'; copiousoutput This is incorrect. For instance, Mutt quotes the filename, so that it generates command lines like less ''filename'' as seen in strace output: execve("/home/vinc17/bin/sh.screen", ["sh", "-c", "less ''/var/tmp/_.txt''"], 0x564ffe666f40 /* 132 vars */) = 0 i.e. the filename is eventually not quoted! Here the filename is sanitized, but I'm not sure that this is always the case (there's a mailcap_sanitize option that can be set to "no", even though this is strongly discouraged). And Mutt wouldn't need to quote the filename if this were ensured; anyway, one of its security features (quoting the filename, just in case) is broken by these incorrect mailcap rules. Other programs might also strongly rely on correct rules. -- System Information: Debian Release: 10.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled