[DRE-commits] [sup-mail] 01/01: Fix remote code injection when viewing attachments
Per Andersson
avtobiff-guest at moszumanska.debian.org
Sun Nov 24 20:23:03 UTC 2013
This is an automated email from the git hooks/post-receive script.
avtobiff-guest pushed a commit to branch wheezy-security
in repository sup-mail.
commit a4bca230fa6047b6f7ed507dc2f09803452db786
Author: Per Andersson <avtobiff at gmail.com>
Date: Sun Nov 24 09:18:30 2013 +0100
Fix remote code injection when viewing attachments
CVE-2013-4478 and CVE-2013-4479 (Closes: #728232)
Backported from 0.13.2.1.
---
debian/NEWS | 17 +++
debian/changelog | 7 +
...e-code-injection-when-viewing-attachments.patch | 164 +++++++++++++++++++++
debian/patches/series | 1 +
4 files changed, 189 insertions(+)
diff --git a/debian/NEWS b/debian/NEWS
index 0fe335b..05911b4 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,20 @@
+sup-mail (0.12.1+git20120407.aaa852f-1+deb7u1) wheezy-security; urgency=high
+
+ It was discovered that Sup was vulnerable to a remote code injection exploit
+ triggered by specially crafted mail attachment content-type or filename. A
+ fix has been backported from 0.13.2.1 to remedy the vulnerability. Full
+ disclosure is available: CVE-2013-4478 and CVE-2013-4479.
+
+ Review any user defined mailcap entries, mime-decode and mime-view hooks
+ with respect this vulnerability.
+
+ More information is available in /usr/share/doc/sup-mail/FAQ.txt.gz and also
+ on the Sup wiki page for viewing attachments
+
+ https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
+
+ -- Per Andersson <avtobiff at gmail.com> Sun, 24 Nov 2013 03:27:43 +0100
+
sup-mail (0.11-1) unstable; urgency=low
IMAP, IMAPS, and mbox+ssh sources have been deprecated and will be removed
diff --git a/debian/changelog b/debian/changelog
index 0441e8a..0f3ac60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+sup-mail (0.12.1+git20120407.aaa852f-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix remote code injection when viewing attachments, CVE-2013-4478 and
+ CVE-2013-4479 (Closes: #728232)
+
+ -- Per Andersson <avtobiff at gmail.com> Sat, 23 Nov 2013 15:16:09 +0100
+
sup-mail (0.12.1+git20120407.aaa852f-1) unstable; urgency=low
* New maintainer. (Closes: #660509)
diff --git a/debian/patches/0007-Fix-remote-code-injection-when-viewing-attachments.patch b/debian/patches/0007-Fix-remote-code-injection-when-viewing-attachments.patch
new file mode 100644
index 0000000..02c1c8a
--- /dev/null
+++ b/debian/patches/0007-Fix-remote-code-injection-when-viewing-attachments.patch
@@ -0,0 +1,164 @@
+From: Per Andersson <avtobiff at gmail.com>
+Date: Tue, 19 Nov 2013 19:46:17 +0100
+Subject: Fix remote code injection when viewing attachments
+
+CVE-2013-4478 and CVE-2013-4479 (Closes: #728232)
+
+Backported from 0.13.2.1.
+---
+ doc/FAQ.txt | 6 +++++-
+ doc/Hooks.txt | 7 +++++-
+ lib/sup/message-chunks.rb | 55 +++++++++++++++++++++++++++++++++++++----------
+ 3 files changed, 55 insertions(+), 13 deletions(-)
+
+diff --git a/doc/FAQ.txt b/doc/FAQ.txt
+index 9a24d7f..6600557 100644
+--- a/doc/FAQ.txt
++++ b/doc/FAQ.txt
+@@ -112,4 +112,8 @@ P: When I run Sup remotely and view an HTML attachment, an existing
+ file, which it can't find (since it's on the remote machine). How do
+ I view HTML attachments in this environment?
+ S: Put this in your ~/.mailcap on the machine you run Sup on:
+- text/html; /usr/bin/firefox -a sup '%s'; description=HTML Text; test=test -n "$DISPLAY"; nametemplate=%s.html
++ text/html; /usr/bin/firefox -a sup %s; description=HTML Text; test=test -n "$DISPLAY"; nametemplate=%s.html
++
++ Please read
++ https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments for
++ some security concerns on opening attachments.
+diff --git a/doc/Hooks.txt b/doc/Hooks.txt
+index 21b1e5e..6c33971 100644
+--- a/doc/Hooks.txt
++++ b/doc/Hooks.txt
+@@ -48,12 +48,17 @@ before-poll:
+
+
+ mime-decode:
++ ## Please read:
++ https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments for
++ some security concerns on opening attachments.
++
+ ## turn text/html attachments into plain text, unless they are part
+ ## of a multipart/alternative pair
++ require 'shellwords'
+ unless sibling_types.member? "text/plain"
+ case content_type
+ when "text/html"
+- `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
++ `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
+ end
+ end
+
+diff --git a/lib/sup/message-chunks.rb b/lib/sup/message-chunks.rb
+index 7a061d9..a8849b0 100644
+--- a/lib/sup/message-chunks.rb
++++ b/lib/sup/message-chunks.rb
+@@ -1,4 +1,5 @@
+ require 'tempfile'
++require 'shellwords'
+
+ ## Here we define all the "chunks" that a message is parsed
+ ## into. Chunks are used by ThreadViewMode to render a message. Chunks
+@@ -58,6 +59,8 @@ end
+ module Redwood
+ module Chunk
+ class Attachment
++ ## please see note in write_disk on important usage
++ ## of quotes to avoid remote command injection
+ HookManager.register "mime-decode", <<EOS
+ Decodes a MIME attachment into text form. The text will be displayed
+ directly in Sup. For attachments that you wish to use a separate program
+@@ -74,6 +77,8 @@ Return value:
+ The decoded text of the attachment, or nil if not decoded.
+ EOS
+
++ ## please see note in write_disk on important usage
++ ## of quotes to avoid remote command injection
+ HookManager.register "mime-view", <<EOS
+ Views a non-text MIME attachment. This hook allows you to run
+ third-party programs for attachments that require such a thing (e.g.
+@@ -99,8 +104,18 @@ EOS
+ attr_reader :content_type, :filename, :lines, :raw_content
+ bool_reader :quotable
+
++ ## store tempfile objects as class variables so that they
++ ## are not removed when the viewing process returns. they
++ ## should be garbage collected when the class variable is removed.
++ @@view_tempfiles = []
++
+ def initialize content_type, filename, encoded_content, sibling_types
+ @content_type = content_type.downcase
++ if Shellwords.escape(@content_type) != @content_type
++ warn "content_type #{@content_type} is not safe, changed to application/octet-stream"
++ @content_type = 'application/octet-stream'
++ end
++
+ @filename = filename
+ @quotable = false # changed to true if we can parse it through the
+ # mime-decode hook, or if it's plain text
+@@ -115,7 +130,9 @@ EOS
+ when /^text\/plain\b/
+ @raw_content
+ else
+- HookManager.run "mime-decode", :content_type => content_type,
++ ## please see note in write_disk on important usage
++ ## of quotes to avoid remote command injection
++ HookManager.run "mime-decode", :content_type => @content_type,
+ :filename => lambda { write_to_disk },
+ :charset => encoded_content.charset,
+ :sibling_types => sibling_types
+@@ -146,11 +163,13 @@ EOS
+ def initial_state; :open end
+ def viewable?; @lines.nil? end
+ def view_default! path
++ ## please see note in write_disk on important usage
++ ## of quotes to avoid remote command injection
+ case Config::CONFIG['arch']
+ when /darwin/
+- cmd = "open '#{path}'"
++ cmd = "open #{path}"
+ else
+- cmd = "/usr/bin/run-mailcap --action=view '#{@content_type}:#{path}'"
++ cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
+ end
+ debug "running: #{cmd.inspect}"
+ BufferManager.shell_out(cmd)
+@@ -158,17 +177,31 @@ EOS
+ end
+
+ def view!
+- path = write_to_disk
+- ret = HookManager.run "mime-view", :content_type => @content_type,
+- :filename => path
+- ret || view_default!(path)
++ ## please see note in write_to_disk on important usage
++ ## of quotes to avoid remote command injection.
++ write_to_disk do |file|
++
++ @@view_tempfiles.push file # make sure the tempfile is not garbage collected before sup stops
++
++ ret = HookManager.run "mime-view", :content_type => @content_type,
++ :filename => file.path
++ ret || view_default!(file.path)
++ end
+ end
+
++ ## note that the path returned from write_to_disk is
++ ## Shellwords.escaped and is intended to be used without single
++ ## or double quotes. the use of either opens sup up for remote
++ ## code injection through the file name.
+ def write_to_disk
+- file = Tempfile.new(["sup", @filename.gsub("/", "_") || "sup-attachment"])
+- file.print @raw_content
+- file.close
+- file.path
++ begin
++ file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])
++ file.print @raw_content
++ yield file if block_given?
++ return file.path
++ ensure
++ file.close
++ end
+ end
+
+ ## used when viewing the attachment as text
diff --git a/debian/patches/series b/debian/patches/series
index 5ca11c6..f0d869d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
0004-Avoid-crash-when-maybe-wrapping-text.patch
0005-Require-iconv-and-locale-instead-of-gettext.patch
0006-Use-RbConfig-instead-of-deprecated-Config.patch
+0007-Fix-remote-code-injection-when-viewing-attachments.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/sup-mail.git
More information about the Pkg-ruby-extras-commits
mailing list