Re: It's Time to Release

To: debian-devel@lists.debian.org
Subject: Re: It's Time to Release
From: Daniel Martin <Daniel.Martin@jhu.edu>
Date: Mon, 15 Feb 1999 18:13:41 -0500
Message-id: <[🔎] 873e47z2e2.fsf@cush.dyn.ez-ip.net>
In-reply-to: Brian White's message of "Mon, 15 Feb 1999 09:31:37 -0500"
References: <36C7380A.752E31C4@pobox.com> <[🔎] 19990214221108.A3353@wonderland.linux.it> <[🔎] 36C82FC9.3B3FF157@pobox.com>

Brian White <bcwhite@pobox.com> writes:

> >  >For the next 7 days, now installs will be greatly restricted.  If it
> >  >doesn't fix a critical or grave bug, it doesn't go in.  If it does
> >  >anything _but_ fix a critical or grave bug, it may be rejected anyway.
> >  >Fixes to important bugs <33000 will be considered for installation,
> >  >but not any later ones.
> >
> > What do you think about the fix to the /etc/mailcap security bug in the
> > last mutt release? The same bug has been reported on bugtraq about PINE.
> > The author asked me to package it for frozen.
> 
> My understanding of that bug is that it involves having back-tick
> expressions within the mailcap commands.  That needs to be addressed
> by whatever packages installed those rules.
> 
> Since only root can install into the global rule list, I don't see
> this are a real problem.  Please let me know if I don't understand
> something about this.

After much wrangling about it, I've concluded that Brian's right -
applications shouldn't install entries into /etc/mailcap that contain
% expansions inside backticks.  Why?  Becuase there's really no good
way to deal with how backticks get escaped:

Scenario 1) Each backtick is replaced by \`
Well, then, suppose I have a rule which says:
lessvariant --charset='%{charset}' '%s'

Then, the lessvariant (which is a hypothetical variant of less that
takes a --charset option) will not actually get the real charset, but
will get the charset with an extra \ character in it.  Also, we can't
guarantee that binary-only programs (such as netscape) will update
their mailcap handling abilities.

Scenario 2) Each backtick-containing rule does something like:
test "`echo '%{charset}' | tr "[A-Z]" "[a-z]"`" = iso-8859-1

That is, enclose the offending % substitution in single quotes.  This
won't protect against things; try it yourself and see.

Scenario 3) Rewrite the offending /etc/mailcap rules.

This is possible.  The offending mailcap rules on my machine
(note it's not backquotes by themselves that are dangerous, but
backquotes containing a percent expansion) all involve:

test=test "`echo %{charset} | tr "[A-Z]" "[a-z]"`" = iso-8859-1 -a "$DISPLAY" != ""

Now, what we need to do is rewrite this:
test=perl -e 'lc(shift) eq "iso-8859-1" && $ENV{DISPLAY} || exit 1' '%{charset}'

Bye-bye backticks, and it even got shorter.  (Being able to rely on a
minimal perl being always installed is a wonderful thing)

By the way, the package that seems to install these lines is metamail.

Reply to:

References:
- Re: It's Time to Release
  - From: md@linux.it (Marco d'Itri)
- Re: It's Time to Release
  - From: Brian White <bcwhite@pobox.com>

Prev by Date: Re: sudo and cracklib
Next by Date: Re: How about irc-scripts? (Re: Themes - do we package them?)
Previous by thread: Re: It's Time to Release
Next by thread: Re: It's Time to Release
Index(es):
- Date
- Thread