Your message dated Sat, 13 May 2023 02:33:57 +0000 with message-id <e1pxf53-001aa5...@fasolo.debian.org> and subject line Bug#1034875: fixed in kitty 0.26.5-5 has caused the Debian Bug report #1034875, regarding kitty: Should not handle application/x-sh mime type by executing the script to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034875 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: kitty Version: 0.26.5-4 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hello, I was reading https://lists.debian.org/20230425190728.ga1471...@subdivi.de in mutt and that mail contains 3 shell scripts as attachments (application/x-sh). I wanted to have a look at the scripts and thus I "opened" those attachments... that open operation has been handled by Kitty due its MimeType declaration in /usr/share/applications/kitty-open.desktop [1] and the shell script has thus been fed to "kitty +open <script>" which actually executed the script. Executing the script as default open action is IMO a very bad idea because what you get by email is largely to not be trusted so I would suggest that kitty be modified to not execute scripts in its URL launcher mode (or that it gets some interactive confirmation from the user before executing it). In the mean time, it's probably a good idea to drop "application/x-sh;application/x-shellscript" from the list of supported mime type to limit the risk. (I assume that even with "text/plain" and a .sh file extension or a shebang, kitty might still decide to execute the script... so the issue is not entirely fixed, but it reduces the number of cases where "kitty +open" is invoked on shell scripts) Thank you for your work on kitty! [1] Extract of /usr/share/applications/kitty-open.desktop: Comment=Open URLs with kitty Exec=kitty +open %U MimeType=image/*;application/x-sh;application/x-shellscript;inode/directory;text/*;x-scheme-handler/kitty; -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kitty depends on: ii kitty-shell-integration 0.26.5-4 ii kitty-terminfo 0.26.5-4 ii libc6 2.36-9 ii libdbus-1-3 1.14.6-1 ii libharfbuzz0b 6.0.0+dfsg-3 ii liblcms2-2 2.14-2 ii libpng16-16 1.6.39-2 ii libpython3.11 3.11.2-6 ii librsync2 2.3.2-1+b1 ii libssl3 3.0.8-1 ii libwayland-client0 1.21.0-1 ii libx11-6 2:1.8.4-2 ii libx11-xcb1 2:1.8.4-2 ii libxkbcommon-x11-0 1.5.0-1 ii libxkbcommon0 1.5.0-1 ii python3 3.11.2-1+b1 ii python3.11 3.11.2-6 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages kitty recommends: ii kitty-doc 0.26.5-4 ii libcanberra0 0.30-10 Versions of packages kitty suggests: ii imagemagick 8:6.9.11.60+dfsg-1.6 ii imagemagick-6.q16 [imagemagick] 8:6.9.11.60+dfsg-1.6 -- no debconf information -- Raphaƫl Hertzog
--- End Message ---
--- Begin Message ---Source: kitty Source-Version: 0.26.5-5 Done: James McCoy <james...@debian.org> We believe that the bug you reported is fixed in the latest version of kitty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <james...@debian.org> (supplier of updated kitty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 12 May 2023 21:46:07 -0400 Source: kitty Architecture: source Version: 0.26.5-5 Distribution: unstable Urgency: high Maintainer: James McCoy <james...@debian.org> Changed-By: James McCoy <james...@debian.org> Closes: 1034875 Changes: kitty (0.26.5-5) unstable; urgency=high . * Ship kitty-open.desktop as an example, instead of under /usr/share/applications. This avoids registering kitty as a handler for various MIME types, which could cause it to execute untrusted files, instead of viewing them. (Closes: #1034875) Checksums-Sha1: d9ecb0e46e01d8ef996a5b4e3440966b1c4113b3 2824 kitty_0.26.5-5.dsc 9488d2983e798812d1a4c38812314290d379293a 18996 kitty_0.26.5-5.debian.tar.xz Checksums-Sha256: a86574bc654ac00a7046fe32c52cb3d491ac3066da2ae77ba1d4b5712e7fc4f5 2824 kitty_0.26.5-5.dsc ba0ec6fce6ea6bc46e5701f3db30154a0728256e56743781caafba0e72c7b111 18996 kitty_0.26.5-5.debian.tar.xz Files: f5c92f8bbb19c20a70fb92cfa97f795c 2824 x11 optional kitty_0.26.5-5.dsc 662fca4770adba7f1a95b239523a28e7 18996 x11 optional kitty_0.26.5-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAmRe75FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9u0hQ/8DIdNX1N/UEDYXbj0IGkrl3S2HDKE KCMSKYpq3oEDjL7cEFIh7rDVIlAWdRywLElyogdL6Dfuz/tecdXnAL46NKbBvTUR fHRd5byZC7aNviCuyz+BNwvasEnZwXGB04mae8F77JTo3kMvYig12+h2rNgYeeOO lojT2dNacgzeaDS9DAQqjunca3XPAxFTCpKEZ0UXJeotguKKoSAqAjPAtKLcXxqt YG2SPffPksCunUR2GumQ7zlqXrc4IFRiO9GUW2jCqwslkxpidklXTkjOD9POeVJ6 e/8OpDWW05FGvqHsNvEnTPodiH2ByKTQ5ARbJrgEqr2FV3q26vWbDyZ8lnGm4mPk qhVX0+FLMsEHAJzPSNPHcK2iO3qWsuKAqbSRnFnnah9rI+PCv8xhJ8qKwqrf64QR ZNGYSTbE9o66pXG/xj0APb6yewDvBU50Nq9MJpvqTsj/gjIL8OeQDRVFm4vwNibR N5Mfei67dg+Rnu4IeAhds6/S9A+7UROG6T7+bIr0gFHZeuFFYI6GvBLdEK+8PN29 F8OUHRN65n1lDoz3T3mf+4QiyRTBl/gjCOewinw1170J5mbS0805YfWae7rfrvGg aAoLnCQD04NCz9LSiOc5lG0+ainC8gl7UExGfyL1Wy8gkT0x0/4eB5nOZcciUKEf CTbhqUx8JOHpuk8= =+xJq -----END PGP SIGNATURE-----
--- End Message ---
