Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Security] Default /etc/mailcap in Slackware 12.2 causes possible hole in Firefox

2 views
Skip to first unread message

Manuel Reimer

unread,
Jan 4, 2009, 7:29:19 AM1/4/09
to
Hello,

Slackware 12.2 comes with a /etc/mailcap file, which forwards some
mime-types to xdg-open. By spoofing the mime-type of a "dangerous" file,
this makes it easy for an attacker to get this file executed.

https://bugs.freedesktop.org/show_bug.cgi?id=19377

This bug report also contains a demonstration page, which tries to
execute some (non-dangerous) code on your machine. If you keep the
Firefox-default (Open with Default Application) and just hit "OK", then
a short demonstration application gets executed (just two linked calls
to kdialog).

Recommended workaround: Delete /etc/mailcap and get sure it stays
deleted (reinstalling or updating the xdg-utils package recreates the file!)

I already sent a short mail to security(at)slackware.com, yesterday in
hope this will be fixed.

CU

Manuel

Robby Workman

unread,
Feb 2, 2009, 11:54:38 PM2/2/09
to


In case you hadn't noticed, this is now addressed in 12.2 and -current:

Mon Feb 2 17:47:30 CST 2009
patches/packages/xdg-utils-1.0.2-noarch-3_slack12.2.tgz:
This update fixes two security issues. First, use of xdg-open in
/etc/mailcap was found to be unsafe -- xdg-open passes along downloaded files
without indicating what mime type they initially presented themselves as,
leaving programs further down the processing chain to discover the file type
again. This makes it rather trivial to present a script (such as a .desktop
file) as a document type (like a PDF) so that it looks safe to click on in a
browser, but will result in the execution of an arbitrary script. It might
be safe to send files to trusted applications in /etc/mailcap, but it does
not seem to be safe to send files to xdg-open in /etc/mailcap.
This package will comment out calls to xdg-open in /etc/mailcap if they are
determined to have been added by a previous version of this package.
If you've made any local customizations to /etc/mailcap, be sure to check
that there are no uncommented calls to xdg-open after installing this update.
Thanks to Manuel Reimer for discovering this issue.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
Another bug in xdg-open fails to sanitize input properly allowing the
execution of arbitrary commands. This was fixed in the xdg-utils repository
quite some time ago (prior to the inclusion of xdg-utils in Slackware), but
was never fixed in the official release of xdg-utils. The sources for
xdg-utils in Slackware have now been updated from the repo to fix the problem.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
(* Security fix *)
+--------------------------+

For those following along at home, this would be a nice lesson in how
NOT to handle security bugs if you truly care about the product in which
it's present.

-RW

0 new messages