It seems another error in claws-mail, not related to the xdg-utils vulnerability. Please file a separate bug against the claws-mail package. I ran "xdg-email --attach test.txt evil-t...@mymedia.su" via strace and had the following in the terminal.
ubuntu@ubuntu:~$ LANG=C.UTF-8 apt-cache policy xdg-utils claws-mail xdg-utils: Installed: 1.1.3-2ubuntu1.20.04.2 Candidate: 1.1.3-2ubuntu1.20.04.2 Version table: *** 1.1.3-2ubuntu1.20.04.2 500 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.3-2ubuntu1 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages claws-mail: Installed: 3.17.5-2 Candidate: 3.17.5-2 Version table: *** 3.17.5-2 500 500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages 100 /var/lib/dpkg/status ubuntu@ubuntu:~$ echo qwerty >test.txt ubuntu@ubuntu:~$ strace -s 256 -f -qq -e 'trace=%process' -e 'signal=!all' -P `which claws-mail` env LANG=C.UTF-8 xdg-email --attach test.txt evil-t...@mymedia.su execve("/usr/bin/claws-mail", ["claws-mail", "mailto:evil-t...@mymedia.su?attach=/home/ubuntu/test.txt";], 0x555673c99df0 /* 51 vars */) = 0 Gtk-Message: 19:53:06.153: Failed to load module "canberra-gtk-module" /home/ubuntu/.claws-mail/toolbar_compose.xml: fopen: No such file or directory (claws-mail:6012): Claws-Mail-WARNING **: 19:53:06.754: can't open signature file: '/home/ubuntu/.signature' ubuntu@ubuntu:~$ I had changed default mail application to Claws Mail. It displayed a strange error message, "File Reply-To: doesn't exist or permission denied". See my attached screenshot. ** Attachment added: "VirtualBox_KRika_12_01_2021_22_53_13.png" https://bugs.launchpad.net/bugs/1909941/+attachment/5452402/+files/VirtualBox_KRika_12_01_2021_22_53_13.png -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdg-utils in Ubuntu. https://bugs.launchpad.net/bugs/1909941 Title: xdg-email changes break simple-scan email functionality Status in xdg-utils package in Ubuntu: Confirmed Bug description: Observed on 16.04 to 20.04 xdg-email no longer actions "-attach filename" arguments when running thunderbird following recent security fixes to protect against malicious use from browser ( https://security-tracker.debian.org/tracker/CVE-2020-27748 and https://ubuntu.com/security/CVE-2020-27748 ) This breaks simple-scan "send by email" functionality and other applications too. https://gitlab.gnome.org/GNOME/simple-scan/-/issues/216 https://forums.linuxmint.com/viewtopic.php?f=208&t=336053 https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 (see comments) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdg-utils/+bug/1909941/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp