[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: It's Time to Release

Brian White <bcwhite@pobox.com> writes:

> >  >For the next 7 days, now installs will be greatly restricted.  If it
> >  >doesn't fix a critical or grave bug, it doesn't go in.  If it does
> >  >anything _but_ fix a critical or grave bug, it may be rejected anyway.
> >  >Fixes to important bugs <33000 will be considered for installation,
> >  >but not any later ones.
> >
> > What do you think about the fix to the /etc/mailcap security bug in the
> > last mutt release? The same bug has been reported on bugtraq about PINE.
> > The author asked me to package it for frozen.
> My understanding of that bug is that it involves having back-tick
> expressions within the mailcap commands.  That needs to be addressed
> by whatever packages installed those rules.
> Since only root can install into the global rule list, I don't see
> this are a real problem.  Please let me know if I don't understand
> something about this.

After much wrangling about it, I've concluded that Brian's right -
applications shouldn't install entries into /etc/mailcap that contain
% expansions inside backticks.  Why?  Becuase there's really no good
way to deal with how backticks get escaped:

Scenario 1) Each backtick is replaced by \`
Well, then, suppose I have a rule which says:
lessvariant --charset='%{charset}' '%s'

Then, the lessvariant (which is a hypothetical variant of less that
takes a --charset option) will not actually get the real charset, but
will get the charset with an extra \ character in it.  Also, we can't
guarantee that binary-only programs (such as netscape) will update
their mailcap handling abilities.

Scenario 2) Each backtick-containing rule does something like:
test "`echo '%{charset}' | tr "[A-Z]" "[a-z]"`" = iso-8859-1

That is, enclose the offending % substitution in single quotes.  This
won't protect against things; try it yourself and see.

Scenario 3) Rewrite the offending /etc/mailcap rules.

This is possible.  The offending mailcap rules on my machine
(note it's not backquotes by themselves that are dangerous, but
backquotes containing a percent expansion) all involve:

test=test "`echo %{charset} | tr "[A-Z]" "[a-z]"`" = iso-8859-1 -a "$DISPLAY" != ""

Now, what we need to do is rewrite this:
test=perl -e 'lc(shift) eq "iso-8859-1" && $ENV{DISPLAY} || exit 1' '%{charset}'

Bye-bye backticks, and it even got shorter.  (Being able to rely on a
minimal perl being always installed is a wonderful thing)

By the way, the package that seems to install these lines is metamail.

Reply to: