Bug#975370: xdg-utils: CVE-2020-27748: local file inclusion vulnerability
Nicholas Guriev
guriev-ns at ya.ru
Wed Dec 30 09:28:25 GMT 2020
On Вс, 2020-12-06 at 13:36 -0500, John Scott wrote:
> On Sunday, November 29, 2020 1:40:17 AM EST Nicholas Guriev wrote:
> > Proposed change offers to completely remove `attach` parameter. I don't
> > like to break existing features.
> It appears that it only removes the attach parameter for Thunderbird in that
> commit. Perhaps that's because other mail clients handle hidden attachments
> better. With xdg-email as packaged now KMail does in fact show an extra large
> warning about a hidden attachment (IIRC they had a related CVE not too long
> ago), but attachments seem to be visible in Thunderbird in any case.
>
> It appears upstream versions of Thunderbird don't respect the ?attach
> parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style
> command-line arguments. These, as given from xdg-email, are considered trusted
> input and honored, as opposed to if mailto:foo?attach=bar were given to
> Thunderbird directly. xdg-email's conversion thus causes a misinterpretation
> of trust by Thunderbird.
Thank you a lot for clarifications. Things are now less vague. So the
issue takes place only with Trunderbird, does not? I requested[1]
Thunderbird developers to implement a warning that would give a hint
about forcibly attached files.
On our side, xdg-email could show a dialog box through Zenity to inform
a user before starting Thunderbird. Alas, xdg-utils have no
internationalization support yet and so the notice will be untranslated.
> Thunderbird's intent to not support the ?attach parameter for untrusted clicks
> from browsers, but still allow non-URI command-line specified attachments seems
> a reasonable compromise. A solution which might let xdg-email practice the
> same is to honor the attachment, and convert it to a Thunderbird command-line
> parameter, if invoked as
> xdg-email --attach foo mailto:bar
> but discard it if invoked as
> xdg-email mailto:bar?attach=foo
>
> Indeed this seems to have been the intent from the description of the merge
> request: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28
>
> It looks like Reportbug's xdg-email backend uses the latter functionality, but
> it would probably be a trivial change to switch to the --attach form.
>From that point, it is unclear for me what is the difference between
these two invocations. One who is able to call to xdg-email, could just
use the "--attach" argument. When I type these commands in terminal, the
difference is hardly visible.
I checked that browsers, Firfox and links, do not rely on xdg-utils, so
web-pages cannot exploit the issue. Atril uses GIO internally and does
not utilize xdg-email. However, LibreOffice Writer uses xdg-open while
clicking links. But xdg-open, for some reason, does not support
"?attach" parameter in mailto: scheme.
So I can't suggest a possible attack vector.
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425#c20
More information about the Pkg-freedesktop-maintainers
mailing list