Package: mailutils
Version: 1:3.1.1-1
Severity: normal
Dear Maintainer,
My auto-generated /etc/mailcap have a rule like this:
text/html; /usr/bin/w3m -I %{charset} -dump -T text/html %s
so I sent an e-mail to myself, containing this header:
Content-Type: text/html; charset="$(rm -rf ~/*)"
then I opened the message with mailutils 'mail', using the 'dec' command to
display the html via mailcap, and the injected 'rm' was executed.
Even if the mailcap rule had quotes (-I '%{charset}'), the injection would
still be possible in other ways (e.g. charset="' & rm -rf ~/* '").
I think the only solution is to filter out *any* shell-special punctuation from
the replacement of any mailcap %-escape.
Doing this can alter some valid string, for example %{name}, but there is no
way around it, it's just an irreparable flaw of the mailcap(5) format.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mailutils depends on:
ii guile-2.0-libs 2.0.13+1-4
ii libc6 2.24-11+deb9u4
ii libfribidi0 0.19.7-1+b1
ii libgc1c2 1:7.4.2-8
ii libgnutls30 3.5.8-5+deb9u4
ii libgsasl7 1.8.0-8+b2
ii libkyotocabinet16v5 1.2.76-4.2+b1
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2
ii libmailutils5 1:3.1.1-1
ii libncurses5 6.0+20161126-1+deb9u2
ii libpam0g 1.1.8-3.6
ii libpython2.7 2.7.13-2+deb9u3
ii libreadline7 7.0-3
ii libtinfo5 6.0+20161126-1+deb9u2
ii libwrap0 7.6.q-26
ii mailutils-common 1:3.1.1-1
ii postfix [mail-transport-agent] 3.1.9-0+deb9u2
mailutils recommends no packages.
Versions of packages mailutils suggests:
pn mailutils-doc <none>
pn mailutils-mh <none>
-- no debconf information
