Bug#774142: marked as done (unblock: mime-support/3.58)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 29 Dec 2014 17:50:59 +0000
with message-id <20141229175059.GA15483@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#774142: unblock: mime-support/3.58
has caused the Debian Bug report #774142,
regarding unblock: mime-support/3.58
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774142
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: mime-support/3.58
• From: Charles Plessy <plessy@debian.org>
• Date: Mon, 29 Dec 2014 20:03:12 +0900
• Message-id: <[🔎] 20141229110312.1565.5798.reportbug@aqwa.igloo>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mime-support to fix CVE-2014-0666 in Jessie.

unblock mime-support/3.58

Have a nice day,

    and a BIG THANK YOU for your outstanding work.

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

diff -Nru mime-support-3.57/debian/changelog mime-support-3.58/debian/changelog
--- mime-support-3.57/debian/changelog	2014-10-04 20:29:52.000000000 +0900
+++ mime-support-3.58/debian/changelog	2014-12-28 15:06:43.000000000 +0900
@@ -1,3 +1,17 @@
+mime-support (3.58) unstable; urgency=high
+
+  * CVE-2014-7209: run-mailcap shell command injection.
+    Thanks to Timothy D. Morgan for the report.
+
+  d156797 Escape file name also when not passed through %s.  This
+          avoids command injections using for instance semicolons.
+  b585022 Resolve file name to an absolute path to avoid injection of
+          command arguments with file names starting with dashes etc.
+          Use File::Spec to avoid race conditions with temporary files.
+          Thanks, Salvatore Bonaccorso for the patch.
+
+ -- Charles Plessy <plessy@debian.org>  Sun, 28 Dec 2014 14:45:59 +0900
+
 mime-support (3.57) unstable; urgency=medium
 
   * Media types added:
diff -Nru mime-support-3.57/run-mailcap mime-support-3.58/run-mailcap
--- mime-support-3.57/run-mailcap	2014-05-25 09:49:18.000000000 +0900
+++ mime-support-3.58/run-mailcap	2014-12-28 15:06:43.000000000 +0900
@@ -11,7 +11,7 @@
 
 use Encode qw(decode);
 use I18N::Langinfo qw(langinfo CODESET);
-
+use File::Spec;
 
 $debug=($ENV{RUN_MAILCAP_DEBUG} || 0);
 $norun=0;
@@ -469,27 +469,22 @@
         }
 
         if ($file ne "-") {
-            if ($comm =~ m/[^%]%s/) {
-                if (decode(langinfo(CODESET()), $file) =~ m![^[:alnum:],.:/@%^+=_-]!i) {
-                    $match =~ m/nametemplate=(.*?)\s*($|;)/;
-                    my $prefix = $1;
-                    my $linked = 0;
-                    while (!$linked) {
-                        $tmplink = TempFile($prefix);
-                        unlink($tmplink);
-                        if ($file =~ m!^/!) {
-                            $linked = symlink($file,$tmplink);
-                        } else {
-                            my $pwd = `/bin/pwd`;
-                            chomp($pwd);
-                            $linked = symlink("$pwd/$file",$tmplink);
-                        }
-                    }
-                    print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
-                    $comm =~ s/([^%])%s/$1$tmplink/g;
-                } else {
-                    $comm =~ s/([^%])%s/$1$file/g;
+            # Resolve file name to an absolute path
+            $file = File::Spec->rel2abs($file);
+            if (decode(langinfo(CODESET()), $file) =~ m![^[:alnum:],.:/@%^+=_-]!i) {
+                $match =~ m/nametemplate=(.*?)\s*($|;)/;
+                my $prefix = $1;
+                my $linked = 0;
+                while (!$linked) {
+                    $tmplink = TempFile($prefix);
+                    unlink($tmplink);
+                    $linked = symlink($file,$tmplink);
                 }
+                $file = $tmplink;
+                print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
+            }
+            if ($comm =~ m/[^%]%s/) {
+                $comm =~ s/([^%])%s/$1$file/g;
             } else {
                 if ($comm =~ m/\|/) {
                     $comm =~ s/\|/<\Q$file\E \|/;

--- End Message ---

--- Begin Message ---

• To: Charles Plessy <plessy@debian.org>, 774142-done@bugs.debian.org
• Subject: Re: Bug#774142: unblock: mime-support/3.58
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Mon, 29 Dec 2014 17:50:59 +0000
• Message-id: <20141229175059.GA15483@lupin.home.powdarrmonkey.net>
• In-reply-to: <[🔎] 20141229110312.1565.5798.reportbug@aqwa.igloo>
• References: <[🔎] 20141229110312.1565.5798.reportbug@aqwa.igloo>

On Mon, Dec 29, 2014 at 08:03:12PM +0900, Charles Plessy wrote:
> Please unblock package mime-support to fix CVE-2014-0666 in Jessie.
> 
> unblock mime-support/3.58

Unblocked.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature

--- End Message ---