Bug#982620: texinfo has mailcap entries with quoted %-escapes

To: submit@bugs.debian.org
Subject: Bug#982620: texinfo has mailcap entries with quoted %-escapes
From: Marriott NZ <marriott99@gmx.com>
Date: Fri, 12 Feb 2021 15:56:58 +0100
Message-id: <[🔎] trinity-6316a16d-1d85-4a82-a732-19c1004f531e-1613141818558@3c-app-mailcom-bs10>
Reply-to: Marriott NZ <marriott99@gmx.com>, 982620@bugs.debian.org

Package: texinfo
Version: 6.7.0.dfsg.2-6
Tags: patch, security

Dear Maintainer,
the texinfo package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

The discussion dates back to 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
resulting in this Lintian tag (triggered by texinfo):
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

Mutt and s-nail also agree:
http://www.mutt.org/doc/manual/#secure-mailcap
https://www.sdaoden.eu/code-nail.html#37

If you think this is not important because mailcap is old and in the process to be replaced with something better, believe me I wish for it to be gone as soon as possible.
The problem is that we are still stuck with it:
1) the mime-support package has an install base of 99.36% (popcon), and there's no way to disable auto generation of /etc/mailcap, so everyone has the rules;
2) some popular and useful mailcap-aware programs still exist, but even if you wanted to avoid them there's no easy way for the user to be sure of doing so;
3) if a certain combination of mail user agent (or document opener) and mailcap rule is used, you can own a machine just by making the user open a malicious email, or a file with a malicious name.

RFC-1524 actually leaves quoting policy unspecified, which led to nearly 30 years of bad security around mailcap, but you can see it from the examples:
https://tools.ietf.org/html/rfc1524#page-11

If you need more information let me know.

Thanks,
MNZ

diff --git a/debian/info.mime b/debian/info.mime
index 41f0b1c..99826b8 100644
--- a/debian/info.mime
+++ b/debian/info.mime
@@ -1,7 +1,7 @@
-application/x-info; /usr/bin/info -f '%s'; needsterminal; description=GNU Info document
+application/x-info; /usr/bin/info -f %s; needsterminal; description=GNU Info document

 # ASCII text rendition, low priority.
 # Info prints messages Messages like "info: Writing node (foo.info.gz)..." to
 # stderr.  Discard them, though alas doing so also loses any genuine error
 # messages.  Is there a "quiet" option?
-application/x-info; /usr/bin/info --subnodes -o /dev/stdout -f '%s' 2>/dev/null; copiousoutput; description=GNU Info document; priority=1
+application/x-info; /usr/bin/info --subnodes -o /dev/stdout -f %s 2>/dev/null; copiousoutput; description=GNU Info document; priority=1

Reply to:

Follow-Ups:
- Bug#982620: texinfo has mailcap entries with quoted %-escapes
  - From: Hilmar Preuße <hille42@web.de>
- Processed: Re: Bug#982620: texinfo has mailcap entries with quoted %-escapes
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: mark lmodern Multi-Arch: foreign
Next by Date: Bug#982609: marked as done (tex-common should Provides: dh-sequence-tex)
Previous by thread: Processed: Re: Bug#982610: mark lmodern Multi-Arch: foreign
Next by thread: Bug#982620: texinfo has mailcap entries with quoted %-escapes
Index(es):
- Date
- Thread