Your message dated Sat, 18 Feb 2023 19:32:08 +0000 with message-id <e1ptswk-009m9v...@fasolo.debian.org> and subject line Bug#972146: fixed in mono 6.8.0.105+dfsg-3.3~deb11u1 has caused the Debian Bug report #972146, regarding /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 972146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972146 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mono-runtime-common Version: 6.8.0.105+dfsg-3 Severity: important File: /usr/share/applications/mono-runtime-common.desktop Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> /usr/share/applications/mono-runtime-common.desktop and /usr/share/applications/mono-runtime-terminal.desktop are registered as freedesktop.org MIME handlers for the application/x-ms-dos-executable MIME type. They run the executable under mono(1) without any further prompting. This means that doing normal "open a document" actions will result in arbitrary code execution with normal user privileges: - follow a web link to a downloadable file and accept the browser's offer to open it (mitigation: the user is prompted, and major browsers might special-case application/x-ms-dos-executable as particularly dangerous) - follow a file:/// link in a non-web format that allows links, such as PDF - open an email attachment - xdg-desktop-portal forwarding an "open file" action from a Flatpak app (mitigation: this one involves user action to confirm which app should be used to open the file) I don't think this is *necessarily* a security vulnerability, as such (everything is doing what it is designed to do), but in 2020 it seems deeply inadvisable. In particular, web browsers, email clients, and sandboxed app frameworks like Flatpak and Snap, which are not generally aware of the specifics of particular MIME types, have little choice but to assume that opening a file is not normally arbitrary code execution. The analogous MIME handling in Wine was removed in 2013 (<https://bugs.debian.org/327262>). I would expect that Mono would either not handle application/x-ms-dos-executable, or handle it with an application that shows a "this is probably dangerous, are you sure?" prompt first (like Wine used to do). I would personally prefer it to not handle application/x-ms-dos-executable at all, due to <https://en.wikipedia.org/wiki/Dancing_pigs>. This was brought to my attention by a commit in GNOME's evince PDF viewer which removes its "launch action" feature (part of the PDF spec, but in practice mostly used by Windows malware) as a form of security hardening. See <https://gitlab.gnome.org/GNOME/evince/-/issues/1333> (I'm preparing an upload with the change referenced there), which uses mono in its proof-of-concept. Mitigation: GNOME users will find that org.gnome.FileRoller.desktop is a preferred handler for application/x-ms-dos-executable. It isn't clear to me how useful this really is (opening an executable as a zip-like archive with "filenames" like .text and .bss seems more like a proof-of-concept than something people would genuinely use) but at least it's harmless. MATE's equivalent (fork?) of file-roller, engrampa, does the same. Another mitigation: I was surprised to find that gnome-games-app also associates itself with application/x-ms-dos-executable, alongside lots of ROM formats (presumably so it can offer to run them in a sandbox environment with Dosbox). This is hopefully OK, because gnome-games-app hopefully has a lot more prompting and sandboxing than a general-purpose program interpreter. smcv
--- End Message ---
--- Begin Message ---Source: mono Source-Version: 6.8.0.105+dfsg-3.3~deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of mono, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 972...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated mono package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 17 Feb 2023 06:30:39 +0100 Source: mono Architecture: source Version: 6.8.0.105+dfsg-3.3~deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Mono Group <pkg-mono-gr...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 972146 Changes: mono (6.8.0.105+dfsg-3.3~deb11u1) bullseye; urgency=medium . * Rebuild for bullseye . mono (6.8.0.105+dfsg-3.3) unstable; urgency=medium . * Non-maintainer upload. * Revert "Added desktop file for mono with and without a terminal window" (Closes: #972146) Checksums-Sha1: d299482a99e07ddf029a7af708349fbe7ce2c298 19828 mono_6.8.0.105+dfsg-3.3~deb11u1.dsc a1384f42844a91fe0694a53294b7ad80602b5a98 136612 mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz 391ef1d5d5fed5e5d8eaf70723ea44ef2f3fc19a 8639 mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo Checksums-Sha256: c80858ad5831da11c1d2f41d737d98ad1799837a03c736b02b2ff971e908a853 19828 mono_6.8.0.105+dfsg-3.3~deb11u1.dsc ead2d8f25eee6a9583e2d721cf5f1798ef8620b1f7c5d335ee825669a63e74b8 136612 mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz ad5250a2be26d40c9673a449ba04c016716de0eee8bd0e2db9aa2ffcfa38114e 8639 mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo Files: 59881fe1fbb0d47eee63b9cad4bb49a3 19828 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1.dsc 07164271ff2a0471649877da2eea4801 136612 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz 97a141996471fbd9db3d6716550928ae 8639 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmPv7QtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWO0P/AihgX6WjxFqqnbIynGJwsICMriYVXmg 6c7CukOQSsVZFCnpZ7A3N/N+BSueics++yMNk3fy5yWV9FcQizlM28xp702b0Pan h4phGEkoNYsSdfoe5ng98uI3KiiA7nxnG9B41XAmx3OM0ZjCDThkzTf7xostCPAT o2Kdz3e2paEOVe/MAHKCKpLGGK3nTjwdWGxDDW0dxMzxgYL6QiI9Ov0oruXF0wN3 ApBAUIpzG08OCbmKDJtp1I6LtueKZZIQuCHPYiAOzC+pZ2uM3PSKlyEObsxC6p0c 80MsepKIeDlKLtcwe0EB7kbp9OMHWpeyZ9vIwISdnhUSb1oJ702AWtbL5egKxtGx qfMX9lon/Gq7nNAL312MBHPmz6rEDM6mp0LvOpctN4c8HTx8cTVlvRVIwC9esVE2 iX+WpVtwZ5WGspTg8SjEfLIk5GyuAT+orRuoAyuK+/H5swO/8Qt1ZeLqXIYXsbaz VqaliQjFnG5wj5k1sqojZATWIZB0HuRS+P1eo5VKnWDrMqWUcncCpdrO2KS3iS9i 7TPr+5qxx2xfh/dMAuI1baJ/6oSZpWq1M01MMcpd25XfTQzh7gumLJ70hamq7x9m 63Ill18FdVSGgsKIddPGXPKKmNtrs5x/kmSgbyrcx1dkaoZupnDWdsy7AAns2Fkg l61u92DQGmtu =KA6x -----END PGP SIGNATURE-----
--- End Message ---
