Bug#982620: marked as done (texinfo has mailcap entries with quoted %-escapes)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 04 Jul 2021 21:48:27 +0000
with message-id <E1m09yV-000HlE-MN@fasolo.debian.org>
and subject line Bug#982620: fixed in texinfo 6.8-1
has caused the Debian Bug report #982620,
regarding texinfo has mailcap entries with quoted %-escapes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
982620: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982620
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: texinfo has mailcap entries with quoted %-escapes
• From: Marriott NZ <marriott99@gmx.com>
• Date: Fri, 12 Feb 2021 15:56:58 +0100
• Message-id: <trinity-6316a16d-1d85-4a82-a732-19c1004f531e-1613141818558@3c-app-mailcom-bs10>

Package: texinfo
Version: 6.7.0.dfsg.2-6
Tags: patch, security

Dear Maintainer,
the texinfo package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
resulting in this Lintian tag (triggered by texinfo):
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

Mutt and s-nail also agree:
http://www.mutt.org/doc/manual/#secure-mailcap
https://www.sdaoden.eu/code-nail.html#37

If you think this is not important because mailcap is old and in the process to be replaced with something better, believe me I wish for it to be gone as soon as possible.
The problem is that we are still stuck with it:
1) the mime-support package has an install base of 99.36% (popcon), and there's no way to disable auto generation of /etc/mailcap, so everyone has the rules;
2) some popular and useful mailcap-aware programs still exist, but even if you wanted to avoid them there's no easy way for the user to be sure of doing so;
3) if a certain combination of mail user agent (or document opener) and mailcap rule is used, you can own a machine just by making the user open a malicious email, or a file with a malicious name.

RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30 years of bad security around mailcap, but you can see it from the examples:
https://tools.ietf.org/html/rfc1524#page-11

If you need more information let me know.

Thanks,
MNZ

diff --git a/debian/info.mime b/debian/info.mime
index 41f0b1c..99826b8 100644
--- a/debian/info.mime
+++ b/debian/info.mime
@@ -1,7 +1,7 @@
-application/x-info; /usr/bin/info -f '%s'; needsterminal; description=GNU Info document
+application/x-info; /usr/bin/info -f %s; needsterminal; description=GNU Info document

 # ASCII text rendition, low priority.
 # Info prints messages Messages like "info: Writing node (foo.info.gz)..." to
 # stderr.  Discard them, though alas doing so also loses any genuine error
 # messages.  Is there a "quiet" option?
-application/x-info; /usr/bin/info --subnodes -o /dev/stdout -f '%s' 2>/dev/null; copiousoutput; description=GNU Info document; priority=1
+application/x-info; /usr/bin/info --subnodes -o /dev/stdout -f %s 2>/dev/null; copiousoutput; description=GNU Info document; priority=1

--- End Message ---

--- Begin Message ---

• To: 982620-close@bugs.debian.org
• Subject: Bug#982620: fixed in texinfo 6.8-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 04 Jul 2021 21:48:27 +0000
• Message-id: <E1m09yV-000HlE-MN@fasolo.debian.org>
• Reply-to: Norbert Preining <norbert@preining.info>

Source: texinfo
Source-Version: 6.8-1
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
texinfo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 982620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <norbert@preining.info> (supplier of updated texinfo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Jul 2021 06:21:00 +0900
Source: texinfo
Architecture: source
Version: 6.8-1
Distribution: experimental
Urgency: medium
Maintainer: Debian TeX maintainers <debian-tex-maint@lists.debian.org>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 982620
Changes:
 texinfo (6.8-1) experimental; urgency=medium
 .
   [ Marriott NZ <marriott99@gmx.com> ]
   * W: quoted-placeholder-in-mailcap-entry (Closes: #982620)
 .
   [ Norbert Preining ]
   * New upstream version 6.8
   * Adjust patches for new upstream.
   * Recode transition plan to UTF-8.
   * Override incorrect lintian error detection.
   * Drop unneeded autotools-dev B-D.
   * Override lintian warning.
   * Drop outdated make-orig-tar script
   * Disable failing test due to missing locales.
Checksums-Sha1:
 ce49977d74b54ce72d1dedf187fe8a569820f228 2042 texinfo_6.8-1.dsc
 ce3776715e655400485381b8ae94e34c5632e729 4961528 texinfo_6.8.orig.tar.xz
 6a641808c7b96313817411eaeefc61e7173473b4 265 texinfo_6.8.orig.tar.xz.asc
 85769d7013c50afbad20432b3b8e056ab8e16fc9 28100 texinfo_6.8-1.debian.tar.xz
 b8a180ce510dd0868d588cd63210198dcf6374bb 6165 texinfo_6.8-1_source.buildinfo
Checksums-Sha256:
 8ae214fca5482db5e1939b3187a9ee87f12c232d9a6b9f37a9bcde628a288b9f 2042 texinfo_6.8-1.dsc
 8eb753ed28bca21f8f56c1a180362aed789229bd62fff58bf8368e9beb59fec4 4961528 texinfo_6.8.orig.tar.xz
 741558a7aa943e779c14591835ef3045679abc210f0a6bc4b509cb621b4e9e20 265 texinfo_6.8.orig.tar.xz.asc
 4000a376e9f9768be683a87055fd224a594387c3f3a5599b95d42e116d9ba4b6 28100 texinfo_6.8-1.debian.tar.xz
 b2d21bdaaaf19f73b75a88859e68d8a5f6a3eb9ce784e0a21716fc4e9aa9d478 6165 texinfo_6.8-1_source.buildinfo
Files:
 0d5f212b8f70696e1caba3da58d0b88e 2042 doc standard texinfo_6.8-1.dsc
 a91b404e30561a5df803e6eb3a53be71 4961528 doc standard texinfo_6.8.orig.tar.xz
 2a16427120dedf65b151e966f753ee06 265 doc standard texinfo_6.8.orig.tar.xz.asc
 39ae82a82cf7fc670e1fe3c950de7a8b 28100 doc standard texinfo_6.8-1.debian.tar.xz
 06cad76ac72f3513868daeb4c57cb3fb 6165 doc standard texinfo_6.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmDiKBAACgkQ2A4JsIcU
AGadJwf+PuYIoIAY9IqEM4J/a4aq8gQ0Da6C43LkrDKqBDO0asrnGMudaKj/H1Mg
jImbBgY4FgHVA9K5gvs046i88aWzlG1zXNJTdZct94MkJyYtDCw3hSUD+TnddxzM
od3RT1T9DqZy0aOHpJnVEiF6RJVUYM/37852tLJvqhHlHoaSwGGlrnuOfv3Uy9c5
m0DkyVK7f85ogy3N54Ii3eDpYaVlFOleg3h14KAEZd7oH162iu+GN5d86mPvJD6j
hUYVssMn/P0U2CE+Q+DF6CzUGN69e66MPXRttdPKpUoo33K0ZWciDag3KOb/9yMt
9JcnL5YlZwqygin1V72Sied4KHMA/g==
=8Try
-----END PGP SIGNATURE-----

--- End Message ---