Bug#987422: marked as done (caca-utils has mailcap entries with quoted %-escapes)

To: Jelmer Vernooĳ <jelmer@debian.org>
Subject: Bug#987422: marked as done (caca-utils has mailcap entries with quoted %-escapes)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 05 Jun 2022 11:09:08 +0000
Message-id: <[🔎] handler.987422.D987422.165442706323612.ackdone@bugs.debian.org>
Reply-to: 987422@bugs.debian.org
References: <E1nxo3Q-00027d-NF@fasolo.debian.org> <trinity-924d612c-d32e-41bd-830a-fb0e94cbe6cf-1619197871429@3c-app-mailcom-bs16>

Your message dated Sun, 05 Jun 2022 11:04:20 +0000
with message-id <E1nxo3Q-00027d-NF@fasolo.debian.org>
and subject line Bug#987422: fixed in libcaca 0.99.beta19-4
has caused the Debian Bug report #987422,
regarding caca-utils has mailcap entries with quoted %-escapes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987422
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: caca-utils has mailcap entries with quoted %-escapes
From: Marriott NZ <marriott99@gmx.com>
Date: Fri, 23 Apr 2021 19:11:11 +0200
Message-id: <trinity-924d612c-d32e-41bd-830a-fb0e94cbe6cf-1619197871429@3c-app-mailcom-bs16>

Package: caca-utils
Version: 0.99.beta19-2.2
Tags: patch, security

Dear Maintainer,
the caca-utils package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.

If you need more information let me know.

Thanks,
MNZ

diff -ru a/debian/caca-utils.mime b/debian/caca-utils.mime
--- a/debian/caca-utils.mime	2021-03-10 14:59:27.000000000 +0100
+++ b/debian/caca-utils.mime	2021-04-23 18:46:35.794788587 +0200
@@ -1,45 +1,45 @@
-image/gif; /usr/bin/cacaview '%s'; description=GIF Image; nametemplate=%s.gif; test=test -n "$DISPLAY"; priority=1
-image/gif; unset DISPLAY\; /usr/bin/cacaview '%s'; description=GIF Image; nametemplate=%s.gif; needsterminal; priority=1
+image/gif; /usr/bin/cacaview %s; description=GIF Image; nametemplate=%s.gif; test=test -n "$DISPLAY"; priority=1
+image/gif; unset DISPLAY\; /usr/bin/cacaview %s; description=GIF Image; nametemplate=%s.gif; needsterminal; priority=1

-image/jpeg; /usr/bin/cacaview '%s'; description=JPEG Image; nametemplate=%s.jpg; test=test -n "$DISPLAY"; priority=1
-image/jpeg; unset DISPLAY\; /usr/bin/cacaview '%s'; description=JPEG Image; nametemplate=%s.jpg; needsterminal; priority=1
+image/jpeg; /usr/bin/cacaview %s; description=JPEG Image; nametemplate=%s.jpg; test=test -n "$DISPLAY"; priority=1
+image/jpeg; unset DISPLAY\; /usr/bin/cacaview %s; description=JPEG Image; nametemplate=%s.jpg; needsterminal; priority=1

-image/png; /usr/bin/cacaview '%s'; description=PNG Image; nametemplate=%s.png; test=test -n "$DISPLAY"; priority=1
-image/png; unset DISPLAY\; /usr/bin/cacaview '%s'; description=PNG Image; nametemplate=%s.png; needsterminal; priority=1
+image/png; /usr/bin/cacaview %s; description=PNG Image; nametemplate=%s.png; test=test -n "$DISPLAY"; priority=1
+image/png; unset DISPLAY\; /usr/bin/cacaview %s; description=PNG Image; nametemplate=%s.png; needsterminal; priority=1

-image/tiff; /usr/bin/cacaview '%s'; description=TIFF Image; nametemplate=%s.tiff; test=test -n "$DISPLAY"; priority=1
-image/tiff; unset DISPLAY\; /usr/bin/cacaview '%s'; description=TIFF Image; nametemplate=%s.tiff; needsterminal; priority=1
+image/tiff; /usr/bin/cacaview %s; description=TIFF Image; nametemplate=%s.tiff; test=test -n "$DISPLAY"; priority=1
+image/tiff; unset DISPLAY\; /usr/bin/cacaview %s; description=TIFF Image; nametemplate=%s.tiff; needsterminal; priority=1

-image/bmp; /usr/bin/cacaview '%s'; description=BMP Image; nametemplate=%s.bmp; test=test -n "$DISPLAY"; priority=1
-image/bmp; unset DISPLAY\; /usr/bin/cacaview '%s'; description=BMP Image; nametemplate=%s.bmp; needsterminal; priority=1
+image/bmp; /usr/bin/cacaview %s; description=BMP Image; nametemplate=%s.bmp; test=test -n "$DISPLAY"; priority=1
+image/bmp; unset DISPLAY\; /usr/bin/cacaview %s; description=BMP Image; nametemplate=%s.bmp; needsterminal; priority=1

-image/x-ms-bmp; /usr/bin/cacaview '%s'; description=BMP Image; nametemplate=%s.bmp; test=test -n "$DISPLAY"; priority=1
-image/x-ms-bmp; unset DISPLAY\; /usr/bin/cacaview '%s'; description=BMP Image; nametemplate=%s.bmp; needsterminal; priority=1
+image/x-ms-bmp; /usr/bin/cacaview %s; description=BMP Image; nametemplate=%s.bmp; test=test -n "$DISPLAY"; priority=1
+image/x-ms-bmp; unset DISPLAY\; /usr/bin/cacaview %s; description=BMP Image; nametemplate=%s.bmp; needsterminal; priority=1

-image/x-cmu-raster; /usr/bin/cacaview '%s'; description=CMU-RasterFile Image; nametemplate=%s.ras; test=test -n "$DISPLAY"; priority=1
-image/x-cmu-raster; unset DISPLAY\; /usr/bin/cacaview '%s'; description=CMU-RasterFile Image; nametemplate=%s.ras; needsterminal; priority=1
+image/x-cmu-raster; /usr/bin/cacaview %s; description=CMU-RasterFile Image; nametemplate=%s.ras; test=test -n "$DISPLAY"; priority=1
+image/x-cmu-raster; unset DISPLAY\; /usr/bin/cacaview %s; description=CMU-RasterFile Image; nametemplate=%s.ras; needsterminal; priority=1

-image/g3fax; /usr/bin/cacaview '%s'; description=G3-FAX Image; nametemplate=%s.g3; test=test -n "$DISPLAY"; priority=1
-image/g3fax; unset DISPLAY\; /usr/bin/cacaview '%s'; description=G3-FAX Image; nametemplate=%s.g3; needsterminal; priority=1
+image/g3fax; /usr/bin/cacaview %s; description=G3-FAX Image; nametemplate=%s.g3; test=test -n "$DISPLAY"; priority=1
+image/g3fax; unset DISPLAY\; /usr/bin/cacaview %s; description=G3-FAX Image; nametemplate=%s.g3; needsterminal; priority=1

-image/targa; /usr/bin/cacaview '%s'; description=TARGA Image; nametemplate=%s.tga; test=test -n "$DISPLAY"; priority=1
-image/targa; unset DISPLAY\; /usr/bin/cacaview '%s'; description=TARGA Image; nametemplate=%s.tga; needsterminal; priority=1
+image/targa; /usr/bin/cacaview %s; description=TARGA Image; nametemplate=%s.tga; test=test -n "$DISPLAY"; priority=1
+image/targa; unset DISPLAY\; /usr/bin/cacaview %s; description=TARGA Image; nametemplate=%s.tga; needsterminal; priority=1

-image/x-portable-bitmap; /usr/bin/cacaview '%s'; description=PBM Image; nametemplate=%s.pbm; test=test -n "$DISPLAY"; priority=1
-image/x-portable-bitmap; unset DISPLAY\; /usr/bin/cacaview '%s'; description=PBM Image; nametemplate=%s.pbm; needsterminal; priority=1
+image/x-portable-bitmap; /usr/bin/cacaview %s; description=PBM Image; nametemplate=%s.pbm; test=test -n "$DISPLAY"; priority=1
+image/x-portable-bitmap; unset DISPLAY\; /usr/bin/cacaview %s; description=PBM Image; nametemplate=%s.pbm; needsterminal; priority=1

-image/x-portable-graymap; /usr/bin/cacaview '%s'; description=PGM Image; nametemplate=%s.pgm; test=test -n "$DISPLAY"; priority=1
-image/x-portable-graymap; unset DISPLAY\; /usr/bin/cacaview '%s'; description=PGM Image; nametemplate=%s.pgm; needsterminal; priority=1
+image/x-portable-graymap; /usr/bin/cacaview %s; description=PGM Image; nametemplate=%s.pgm; test=test -n "$DISPLAY"; priority=1
+image/x-portable-graymap; unset DISPLAY\; /usr/bin/cacaview %s; description=PGM Image; nametemplate=%s.pgm; needsterminal; priority=1

-image/x-portable-anymap; /usr/bin/cacaview '%s'; description=PNM Image; nametemplate=%s.pnm; test=test -n "$DISPLAY"; priority=1
-image/x-portable-anymap; unset DISPLAY\; /usr/bin/cacaview '%s'; description=PNM Image; nametemplate=%s.pnm; needsterminal; priority=1
+image/x-portable-anymap; /usr/bin/cacaview %s; description=PNM Image; nametemplate=%s.pnm; test=test -n "$DISPLAY"; priority=1
+image/x-portable-anymap; unset DISPLAY\; /usr/bin/cacaview %s; description=PNM Image; nametemplate=%s.pnm; needsterminal; priority=1

-image/x-portable-pixmap; /usr/bin/cacaview '%s'; description=PPM Image; nametemplate=%s.ppm; test=test -n "$DISPLAY"; priority=1
-image/x-portable-pixmap; unset DISPLAY\; /usr/bin/cacaview '%s'; description=PPM Image; nametemplate=%s.ppm; needsterminal; priority=1
+image/x-portable-pixmap; /usr/bin/cacaview %s; description=PPM Image; nametemplate=%s.ppm; test=test -n "$DISPLAY"; priority=1
+image/x-portable-pixmap; unset DISPLAY\; /usr/bin/cacaview %s; description=PPM Image; nametemplate=%s.ppm; needsterminal; priority=1

-image/x-rgb; /usr/bin/cacaview '%s'; description=RGB Image; nametemplate=%s.rgb; test=test -n "$DISPLAY"; priority=1
-image/x-rgb; unset DISPLAY\; /usr/bin/cacaview '%s'; description=RGB Image; nametemplate=%s.rgb; needsterminal; priority=1
+image/x-rgb; /usr/bin/cacaview %s; description=RGB Image; nametemplate=%s.rgb; test=test -n "$DISPLAY"; priority=1
+image/x-rgb; unset DISPLAY\; /usr/bin/cacaview %s; description=RGB Image; nametemplate=%s.rgb; needsterminal; priority=1

-image/x-xpixmap; /usr/bin/cacaview '%s'; description=XPM Image; nametemplate=%s.xpm; test=test -n "$DISPLAY"; priority=1
-image/x-xpixmap; unset DISPLAY\; /usr/bin/cacaview '%s'; description=XPM Image; nametemplate=%s.xpm; needsterminal; priority=1
+image/x-xpixmap; /usr/bin/cacaview %s; description=XPM Image; nametemplate=%s.xpm; test=test -n "$DISPLAY"; priority=1
+image/x-xpixmap; unset DISPLAY\; /usr/bin/cacaview %s; description=XPM Image; nametemplate=%s.xpm; needsterminal; priority=1

--- End Message ---

--- Begin Message ---

To: 987422-close@bugs.debian.org
Subject: Bug#987422: fixed in libcaca 0.99.beta19-4
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 05 Jun 2022 11:04:20 +0000
Message-id: <E1nxo3Q-00027d-NF@fasolo.debian.org>
Reply-to: Jelmer Vernooĳ <jelmer@debian.org>

Source: libcaca
Source-Version: 0.99.beta19-4
Done: Jelmer Vernooĳ <jelmer@debian.org>

We believe that the bug you reported is fixed in the latest version of
libcaca, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 987422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jelmer Vernooĳ <jelmer@debian.org> (supplier of updated libcaca package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Jun 2022 11:39:12 +0100
Source: libcaca
Architecture: source
Version: 0.99.beta19-4
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Jelmer Vernooĳ <jelmer@debian.org>
Closes: 804330 987422
Changes:
 libcaca (0.99.beta19-4) unstable; urgency=medium
 .
   * QA upload.
 .
   [ Fabio Fantoni ]
   * QA upload.
   * Switch to use dh and bump compat to 13. (Closes: #804330)
   * d/control:
     - remove very old conflicts/replaces.
     - remove autotools-dev build-dep, no longer needed.
   * d/caca-utils.mime: remove quoted from placeholder in
     mailcap entries. (Closes: #987422) Thanks to Marriott NZ.
   * Update d/copyright.
Checksums-Sha1:
 c772a5ad17f7735fdd20606b590ab949cc79699c 2174 libcaca_0.99.beta19-4.dsc
 0ff073dd2a96085e355f3218c730850f610ec134 17024 libcaca_0.99.beta19-4.debian.tar.xz
 b44950edef06cbaaeb370d68f9540ed3a05b68c0 13195 libcaca_0.99.beta19-4_amd64.buildinfo
Checksums-Sha256:
 c3f3f940ca9ff34a1d17ce85d981804d61c60d43c3b6b31d0216b4c2090fa22f 2174 libcaca_0.99.beta19-4.dsc
 c093ef90c49091e8fc39b874b3c25bc90a66397cb2a824890a90fb9c301a168d 17024 libcaca_0.99.beta19-4.debian.tar.xz
 f4c139eb5cfe93831c8c55d0edb3093c5e6f7a60ac7aa1a705708ed4fd4ca643 13195 libcaca_0.99.beta19-4_amd64.buildinfo
Files:
 946f8ec907a1a1646707d18b4bb8772c 2174 libs optional libcaca_0.99.beta19-4.dsc
 21952de5b09728463cc0f02a7bc7ad72 17024 libs optional libcaca_0.99.beta19-4.debian.tar.xz
 714da0c19129ec4b7e988ce649b47058 13195 libs optional libcaca_0.99.beta19-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEsjhixBXWVlpOhsvXV5wWDUyeI+gFAmKciG8ACgkQV5wWDUye
I+gWHA/9GLdRN6WforZx6Y363yQziIoDWbdio1arxb+g8NT4M8lc/vJmw8fvDCXm
WyrVO0GusOpA8FgwYzmcrs5ppTZ+i2uh8vzhiih2dYpw4T1e7RVKKvuqlgctZ+TE
kJXHYeJQCLb9df6AT4r3iJjfryxh3Beo3PBH3t4urWC1OUWtvLdTtlNRxd/JxsVF
WWL0P8TmTtS2BopW8zrBkeR47f15HE0841ZhQBohuJftgvO0juKpJxcKqf/xKcvZ
xi+/x/r2wFjXCuhL97xDcjGOWRRA0GvBrI003LPSNE4eLwyGywSYZUKOf9z7NWpo
LL3JyxPgi10/1duEW1uGAqZReQ81pOlyz223eZRd1+qSIkQ++EdtuLgpB6Q+HAcA
3cfj5I4bTwkvybYVdEvLY2kEGAsdmPeGTKRNvmDQytx2wxkcISl4bVTQVsEWPgfB
0KUZaDDK5NSyNS6vlB0R9M4xSankUvVzxUoJBvRvp/ZmdrVkefr0MOJE9nrJVa2B
tBeJrs17NmhZD0gY3ixGaMHRyLDzfaXC+0bapV1ZBegSKe+cz/NB5lt+CEQFivMu
hzCofoyqPfzQU4FQBka3XVrfcIewq+OeLaXgDJyhEZz6vDwUVPyDyb298Cu+MJaC
9XlsnKcoDab4neEakkaNf2uEQ/6UDDOabCy2cbEIcXT0Ns7MpAI=
=8LlS
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#804330: marked as done ([libcaca-dev] weird files)
Next by Date: Processing of golang-github-blevesearch-go-porterstemmer_1.0.1+git20141230.9.23a2c8e-7_source.changes
Previous by thread: Bug#804330: marked as done ([libcaca-dev] weird files)
Next by thread: Processing of golang-github-blevesearch-go-porterstemmer_1.0.1+git20141230.9.23a2c8e-7_source.changes
Index(es):
- Date
- Thread