Bug#987406: planner has mailcap entries with quoted %-escapes

To: submit@bugs.debian.org
Subject: Bug#987406: planner has mailcap entries with quoted %-escapes
From: Marriott NZ <marriott99@gmx.com>
Date: Fri, 23 Apr 2021 12:44:05 +0200
Message-id: <[🔎] trinity-831996d0-222c-4fa3-bdc1-40e8e7a44d39-1619174645041@3c-app-mailcom-bs11>
Reply-to: Marriott NZ <marriott99@gmx.com>, 987406@bugs.debian.org

Package: planner
Version: 0.14.6-9
Tags: patch, security

Dear Maintainer,
the planner package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.

If you need more information let me know.

Thanks,
MNZ

diff -ru a/debian/planner.mime b/debian/planner.mime
--- a/debian/planner.mime	2013-04-09 09:17:18.000000000 +0200
+++ b/debian/planner.mime	2021-04-23 11:10:50.218473457 +0200
@@ -1 +1 @@
-application/x-planner; planner '%s'; edit=planner '%s'; description="Planner document"; test=test "$DISPLAY" != ""; nametemplate=%s.planner
+application/x-planner; planner %s; edit=planner %s; description="Planner document"; test=test "$DISPLAY" != ""; nametemplate=%s.planner

Reply to:

Prev by Date: PROGRAMME RÉSIDENTIEL D’EXCEPTION À MARRAKECH
Next by Date: Bug#987419: schroot: Incorrect mount/unmount binfmt handler sequence for start/stop schroot stages
Previous by thread: jigl is marked for autoremoval from testing
Next by thread: Bug#987419: schroot: Incorrect mount/unmount binfmt handler sequence for start/stop schroot stages
Index(es):
- Date
- Thread