xdg-utils: fix mailto-vulnerability #95758
Conversation
pkgs/tools/X11/xdg-utils/0001-xdg-email-remove-attachment-handling-from-mailto.patch
Outdated
Show resolved
Hide resolved
|
Took the liberty to update your motivation. |
|
It would be nice if you could get upstream to make a new release out of it (last one was 2 years ago) - I'm locally using an overlay to use https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/9816ebb3e6fd9f23e993b8b7fcbd56f92d9c9197 which has been on master for a couple of months now. If a new release takes too long/doesn't happen, would it be possible to point nixpkgs at a version that is not an official release? |
The "Mailto: Me Your Secrets"[0] paper describes vulnerabilities in multiple email clients regarding the undocumented "attach" field of a mailto URI. This might allow the inclusion of sensitive data in an outgoing email. Pull request #95758 addresses this issue on a more general level. Claws Mail unfortunately also has problems with mailto URIs[1][2]. Referring to the paper, problems for "attach" and "insert" were found and fixed. These patches, which are not included in a release yet, are hereby added. [0]:https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf [1]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4373 [2]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4374
There was a problem hiding this comment.
I can reproduce the problem with chromium and the following config:
environment.etc."xdg/mimeapps.list" = {
text = ''
[Default Applications]
x-scheme-handler/mailto=thunderbird.desktop
'';
};
I didn't check applying this patch fixes the problem (that seems to require rebuilding chromium...), but it looks convincing.
It also breaks 'legitimate' use cases for adding attachments to emails, not only for filenames passed in via the mailto url, but also for those passed with '--attach' (since that just appends it to the mailto url AFAICS, https://gitlab.freedesktop.org/xdg/xdg-utils/-/blob/master/scripts/xdg-email.in#L372).
So we have to weigh breaking this feature against fixing the vulnerability (which is a bit far-fetched and requires user interaction) or doing nothing and leaving it to upstream to make the call.
I'd say it might be best to err on the safe side and apply this patch until we find a strong reason the feature is needed (or there is a decision upstream that we want to follow).
I looked around a bit and didn't find a CVE for this issue, btw.
|
I replaced it with a pull request now. |
|
CVE-2020-27748 got assigned to this and even Debian is now considering this patch and Ubuntu just sent out an Advisory with a fixed version. |
| @@ -32,6 +32,14 @@ stdenv.mkDerivation rec { | |||
| # just needed when built from git | |||
| buildInputs = [ libxslt docbook_xml_dtd_412 docbook_xsl xmlto w3m ]; | |||
|
|
|||
| patches = [ | |||
| # https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 | |||
| (fetchpatch { | |||
There was a problem hiding this comment.
@Mic92 please remove the trailing whitespace here
|
I leave this to @mweinelt to fix this ;) |
|
Awesome, then please add a remark to the upstream merge request concerning the breakage. |
|
The problem is that it break the |
Motivation for this change
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)