Bug 479010 (CVE-2009-0068)

Summary:	CVE-2009-0068 Using xdg-open in mailcap causes hole in Firefox
Product:	[Fedora] Fedora	Reporter:	David Nalley <david>
Component:	xdg-utils	Assignee:	Rex Dieter <rdieter>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	10	CC:	bressers, greenrd, pertusus, rdieter, rworkman, security-response-team, ville.skytta
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-09-13 19:35:00 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Nalley 2009-01-06 14:17:41 UTC

One of the slackware developers approached me about a security issue that was reported in their mailcap. They did so because they copied our mailcap. 

Here is the original ticket they received:
https://bugs.freedesktop.org/show_bug.cgi?id=19377

I have not personally explored this bug - just acting as a relay - the slackware contact is Robbie Workman - I have cced him on this ticket, but for the record his email address is: rworkman 

I am adding some additional discussion from within the slackware community:
14:19 <rworkman> Hey :)
14:20 <ke4qqq> what can I do for you?
14:20 <rworkman> What do you make of this: https://bugs.freedesktop.org/show_bug.cgi?id=19377
14:20 <rworkman> You guys have the exact same /etc/mailcap -- we "borrowed" it from you :)
14:21 <ke4qqq> that is supposed to be the idea. 
14:21 <rworkman> Unofficially, we think it's a load of crap.  There's no way to prevent users from doing somethign stupid.
14:23 <ke4qqq> interesting - so you want me to report this upstream to Fedora?
14:23 <rworkman> Well, I guess so.  I'd like to see what the relevant maintainer's take on this is before we do anything.  
14:24 <rworkman> If you don't mind, please CC me <rworkman> on it if you mail it 
14:24 <ke4qqq> ok, I'll do so shortly
14:24 <rworkman> Thanks
14:28 <rworkman> Just some discussion we're having:
14:28 <rworkman> 19:27 < volkerdi> rworkman: Possibly someone else maintains the Fedora mailcap package (yes, they have a whole RPM for just  the 
                 mailcap).  Maybe they ought to be in the loop, too.
14:28 <rworkman> 19:28 < amrit> so basically if the server specifies, say, a jpg mime type for a .sh, xdg-open will execute it anyway?
14:28 <rworkman> 19:28 < alienBOB> The problem with xdg-open is in fact not xdg-open itself. It passes the URL to a DE-specific tool, for KDE  that 
                 is kfmclient. IMO kfmclient should not accept .desktop files if they are not located on the local fs
14:33 <ke4qqq> sorry - /me is a bit distracted - in two meetings at once....I'll be back to this shortly. 
14:33 <rworkman> No problem - it's not urgent IMO :)

Comment 1 Josh Bressers 2009-01-06 20:27:52 UTC

*** Bug 479057 has been marked as a duplicate of this bug. ***

Comment 2 Patrice Dumas 2009-04-08 14:20:03 UTC

I am not sure about this, but it could be seen in 2 different ways

1 the server said a mime type, the browser should open it as this mimetype
2 the real document is a given mime type the application opening it should be the application corresponding with that mimetype.

Both have different security implications. 1 means that if failed the browser may fail to stop the content from being executed. 2 means that the content will be feed to the wrong application.

Maybe the right solution would be to have the brower detect the file type (for example using 
xdg-mime query filetype $file
and aborts if it is not the same than what the site said.

Something along 

image/*; /usr/bin/verify-and-open %F %s

and verify-and-open would first call  xdg-mime query filetype and verify that it matches what %F said.

Comment 3 Ville Skyttä 2009-04-08 17:18:20 UTC

My apologies for suggesting this change to Fedora's mailcap without realizing
this issue, and too bad others didn't catch it either.  See my comments in the
upstream bug; I think there are other issues besides mailcap and firefox in
xdg-open use at least in KDE setups.

Comment 4 Patrice Dumas 2009-04-08 17:54:20 UTC

Also this issue may be more widespread than in firefox, since xdg-open is used as a viewer for some types of documents. The xdg-open option you propose should be right, though.

Comment 5 Miroslav Lichvar 2009-04-08 18:37:51 UTC

It looks like only the kde method in xdg-open is actually executing the file, the gnome, xfce and generic methods open it in an editor, but I'm not sure if this is always the case. I'd prefer to keep xdg-open in mailcap if possible and fix it in xdg-open and/or kfmclient.

Changing the "kfmclient exec" call in xdg-open to "kfmclient openURL" seems to help, a dialog asking before execution pops up. Is that good enough?

Comment 6 Rex Dieter 2009-04-08 18:50:28 UTC

kfmclient exec is bogus for kde4 anyway (doesn't work).

kfmclient openURL 'url' ['mimetype'] is the way to go (esp if able to provide the optional mimetype arg).

I can work to fix that part in xdg-open asap.

Comment 7 Rex Dieter 2009-04-08 19:35:31 UTC

xdg-utils:
%changelog
* Wed Apr 08 2009 Rex Dieter <rdieter> - 1.0.2-7.20081121cvs
- xdg-open: s/kfmclient exec/kfmclient openURL/ (CVE-2009-0068, rh#472010, fdo#19377)

There are more in-depth measures to take, but this is a good first try anyway.

Comment 8 Ville Skyttä 2009-04-09 18:02:27 UTC

I suppose that's better yes, but I don't know what you meant by kfmclient exec not working in kde4 - it does work for the use cases I've tried.

kfmclient openURL is probably an improvement, but it has (non-security) issues as well, but then again these are pretty much off topic for this bug:

- running it on a *non*-executable shell script prompts a "do you really want to execute [...]" dialog, and when I click yes, it doesn't actually execute the script but opens up an empty konqueror window _and_ XEmacs containing the script for me.

- It doesn't in most cases appear to honor my file associations or embedded/separate viewer settings but tries to open everything in konqueror using an embedded editor/viewer and only sometimes opens a separate program (in addition to konqueror)

Comment 9 Rex Dieter 2009-04-09 18:13:51 UTC

ok, not sure what I was smokin yesterday, but openURL certainly isn't an improvement, agreed.  ugh.

Comment 10 Miroslav Lichvar 2009-07-24 10:19:21 UTC

Assuming we want to keep xdg-open in mailcap, reassigning to xdg-utils.

Comment 11 Rex Dieter 2009-09-09 16:33:23 UTC

As I mentioned upstream,

With kde-4.3 landing, it includes additional restrictions on .desktop file handlind too, which (I believe) covers the original (upstream) report case.

For comment #2 , take away the chmod +x, and it opens using a text editor (the same behavior as if one clicked it in kde filebrowser).

Are there other cases not yet considered?

Comment 12 Rex Dieter 2009-09-13 19:35:00 UTC

closing->errata (as in fixed in kde-4.3).  
feel free to re-open if other unresolved cases can be found.