Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534184 (CVE-2014-7209) - app-misc/run-mailcap: Command Injection
Summary: app-misc/run-mailcap: Command Injection
Alias: CVE-2014-7209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2015-01-01 09:42 UTC by Agostino Sarubbo
Modified: 2016-10-10 06:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-01 09:42:09 UTC
From ${URL} :

I discovered a shell injection vulnerability in the run-mailcap script of the
mime-support package.  This vulnerability is exploitable in a variety of very
specific scenarios when an attacker can convince a victim to open a file with a
malicious file name using the run-mailcap script.  Only a handful of software
packages (such as email clients) are likely to call run-mailcap directly, but it can
also be called by xdg-open, which is much more widely used.  However, in the xdg-open
case, the victim must not be using one of the popular desktop environments in order
for the issue to be triggered.  In the xdg-open case, it was possible to execute
arbitrary code using Google Chrome/Chromium file downloads as a vector.  (Yes, this
is a separate issue from the xdg-open shell injection vulnerability that was reported
not long ago.)

It seems that mime-support is primarily used by Debian-based Linux distributions,
though FreeBSD does have a port for it.  I'm not sure what other distros may make it
available.  Debian has released a security update (DSA-3114-1) for the issue.  I am
also attaching patches which correct the flaw in the previous version.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2015-11-04 15:23:24 UTC
is 3.52_p1 version from testing also affected by this?
Comment 2 Kevin Bryan 2016-06-13 20:25:26 UTC
(In reply to Pacho Ramos from comment #1)
> is 3.52_p1 version from testing also affected by this?

3.52_p1 seems to still have the issue (visual inspection shows patches not applied).  Version 3.60 does seem to contain (a better version) of the patches. No visible regressions.
Comment 3 Pacho Ramos gentoo-dev 2016-07-31 12:00:21 UTC
If no one is willing to proxy maintain this, I guess we should treeclean this
Comment 4 Pacho Ramos gentoo-dev 2016-10-01 07:30:16 UTC
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 06:03:44 UTC
Package removed from tree.