Re: It's Time to Release
Brian White <bcwhite@pobox.com> writes:
> > >For the next 7 days, now installs will be greatly restricted. If it
> > >doesn't fix a critical or grave bug, it doesn't go in. If it does
> > >anything _but_ fix a critical or grave bug, it may be rejected anyway.
> > >Fixes to important bugs <33000 will be considered for installation,
> > >but not any later ones.
> >
> > What do you think about the fix to the /etc/mailcap security bug in the
> > last mutt release? The same bug has been reported on bugtraq about PINE.
> > The author asked me to package it for frozen.
>
> My understanding of that bug is that it involves having back-tick
> expressions within the mailcap commands. That needs to be addressed
> by whatever packages installed those rules.
>
> Since only root can install into the global rule list, I don't see
> this are a real problem. Please let me know if I don't understand
> something about this.
After much wrangling about it, I've concluded that Brian's right -
applications shouldn't install entries into /etc/mailcap that contain
% expansions inside backticks. Why? Becuase there's really no good
way to deal with how backticks get escaped:
Scenario 1) Each backtick is replaced by \`
Well, then, suppose I have a rule which says:
lessvariant --charset='%{charset}' '%s'
Then, the lessvariant (which is a hypothetical variant of less that
takes a --charset option) will not actually get the real charset, but
will get the charset with an extra \ character in it. Also, we can't
guarantee that binary-only programs (such as netscape) will update
their mailcap handling abilities.
Scenario 2) Each backtick-containing rule does something like:
test "`echo '%{charset}' | tr "[A-Z]" "[a-z]"`" = iso-8859-1
That is, enclose the offending % substitution in single quotes. This
won't protect against things; try it yourself and see.
Scenario 3) Rewrite the offending /etc/mailcap rules.
This is possible. The offending mailcap rules on my machine
(note it's not backquotes by themselves that are dangerous, but
backquotes containing a percent expansion) all involve:
test=test "`echo %{charset} | tr "[A-Z]" "[a-z]"`" = iso-8859-1 -a "$DISPLAY" != ""
Now, what we need to do is rewrite this:
test=perl -e 'lc(shift) eq "iso-8859-1" && $ENV{DISPLAY} || exit 1' '%{charset}'
Bye-bye backticks, and it even got shorter. (Being able to rely on a
minimal perl being always installed is a wonderful thing)
By the way, the package that seems to install these lines is metamail.
Reply to: