Bug#975370: xdg-utils: CVE-2020-27748: local file inclusion vulnerability

Nicholas Guriev guriev-ns at ya.ru
Wed Dec 30 09:28:25 GMT 2020

On Вс, 2020-12-06 at 13:36 -0500, John Scott wrote:
> On Sunday, November 29, 2020 1:40:17 AM EST Nicholas Guriev wrote:
> > Proposed change offers to completely remove `attach` parameter. I don't
> > like to break existing features.
> It appears that it only removes the attach parameter for Thunderbird in that 
> commit. Perhaps that's because other mail clients handle hidden attachments 
> better. With xdg-email as packaged now KMail does in fact show an extra large 
> warning about a hidden attachment (IIRC they had a related CVE not too long 
> ago), but attachments seem to be visible in Thunderbird in any case.
> It appears upstream versions of Thunderbird don't respect the ?attach 
> parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style 
> command-line arguments. These, as given from xdg-email, are considered trusted 
> input and honored, as opposed to if mailto:foo?attach=bar were given to 
> Thunderbird directly. xdg-email's conversion thus causes a misinterpretation 
> of trust by Thunderbird.

Thank you a lot for clarifications. Things are now less vague. So the
issue takes place only with Trunderbird, does not? I requested[1]
Thunderbird developers to implement a warning that would give a hint
about forcibly attached files.

On our side, xdg-email could show a dialog box through Zenity to inform
a user before starting Thunderbird. Alas, xdg-utils have no
internationalization support yet and so the notice will be untranslated.

> Thunderbird's intent to not support the ?attach parameter for untrusted clicks 
> from browsers, but still allow non-URI command-line specified attachments seems 
> a reasonable compromise. A solution which might let xdg-email practice the 
> same is to honor the attachment, and convert it to a Thunderbird command-line 
> parameter, if invoked as
> xdg-email --attach foo mailto:bar
> but discard it if invoked as
> xdg-email mailto:bar?attach=foo
> Indeed this seems to have been the intent from the description of the merge 
> request: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28
> It looks like Reportbug's xdg-email backend uses the latter functionality, but 
> it would probably be a trivial change to switch to the --attach form. 

>From that point, it is unclear for me what is the difference between
these two invocations. One who is able to call to xdg-email, could just
use the "--attach" argument. When I type these commands in terminal, the
difference is hardly visible.

I checked that browsers, Firfox and links, do not rely on xdg-utils, so
web-pages cannot exploit the issue. Atril uses GIO internally and does
not utilize xdg-email. However, LibreOffice Writer uses xdg-open while
clicking links. But xdg-open, for some reason, does not support
"?attach" parameter in mailto: scheme.

So I can't suggest a possible attack vector.

 [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425#c20

More information about the Pkg-freedesktop-maintainers mailing list