Command Injection in mime-support/run-mailcap (CVE-2014-7209)

["Timothy D. Morgan" <tim.advisories () blindspotsecurity com>]

Hello,

I discovered a shell injection vulnerability in the run-mailcap script of the
mime-support package.  This vulnerability is exploitable in a variety of very
specific scenarios when an attacker can convince a victim to open a file with a
malicious file name using the run-mailcap script.  Only a handful of software
packages (such as email clients) are likely to call run-mailcap directly, but it can
also be called by xdg-open, which is much more widely used.  However, in the xdg-open
case, the victim must not be using one of the popular desktop environments in order
for the issue to be triggered.  In the xdg-open case, it was possible to execute
arbitrary code using Google Chrome/Chromium file downloads as a vector.  (Yes, this
is a separate issue from the xdg-open shell injection vulnerability that was reported
not long ago.)

It seems that mime-support is primarily used by Debian-based Linux distributions,
though FreeBSD does have a port for it.  I'm not sure what other distros may make it
available.  Debian has released a security update (DSA-3114-1) for the issue.  I am
also attaching patches which correct the flaw in the previous version.

Thanks to Salvatore Bonaccorso and Charles Plessy for developing the patches.

tim

Attachment: 0001-CVE-2014-7209-Fix-shell-command-injection.patch
Description:

Attachment: 0002-Resolve-file-name-to-an-absolute-path.patch
Description: