oss-sec mailing list archives
Command Injection in mime-support/run-mailcap (CVE-2014-7209)
From: "Timothy D. Morgan" <tim.advisories () blindspotsecurity com>
Date: Wed, 31 Dec 2014 09:38:49 -0800
Hello, I discovered a shell injection vulnerability in the run-mailcap script of the mime-support package. This vulnerability is exploitable in a variety of very specific scenarios when an attacker can convince a victim to open a file with a malicious file name using the run-mailcap script. Only a handful of software packages (such as email clients) are likely to call run-mailcap directly, but it can also be called by xdg-open, which is much more widely used. However, in the xdg-open case, the victim must not be using one of the popular desktop environments in order for the issue to be triggered. In the xdg-open case, it was possible to execute arbitrary code using Google Chrome/Chromium file downloads as a vector. (Yes, this is a separate issue from the xdg-open shell injection vulnerability that was reported not long ago.) It seems that mime-support is primarily used by Debian-based Linux distributions, though FreeBSD does have a port for it. I'm not sure what other distros may make it available. Debian has released a security update (DSA-3114-1) for the issue. I am also attaching patches which correct the flaw in the previous version. Thanks to Salvatore Bonaccorso and Charles Plessy for developing the patches. tim
Attachment:
0001-CVE-2014-7209-Fix-shell-command-injection.patch
Description:
Attachment:
0002-Resolve-file-name-to-an-absolute-path.patch
Description:
Current thread:
- Command Injection in mime-support/run-mailcap (CVE-2014-7209) Timothy D. Morgan (Dec 31)