Hi,

The following vulnerability was published for xdg-utils, the issue is
there source-wise but is maybe less effective if #855859 is stil la
problem and does not actuall ywork well with thunderbird.

CVE-2020-27748[0]:
| local file inclusion vulnerability

It is not yet fixed upstream, see [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-27748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27748
[1] https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hi!

Proposed change offers to completely remove `attach` parameter. I don't
like to break existing features. We should elaborate more convenient
solution. For example, Evolution in the same case shows a warning about
attached hidden file.

More general, is it an issue if I can choose a secret file from
attachment dialog?

It appears that it only removes the attach parameter for Thunderbird in that
commit. Perhaps that's because other mail clients handle hidden attachments
better. With xdg-email as packaged now KMail does in fact show an extra large
warning about a hidden attachment (IIRC they had a related CVE not too long
ago), but attachments seem to be visible in Thunderbird in any case.

It appears upstream versions of Thunderbird don't respect the ?attach
parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style
command-line arguments. These, as given from xdg-email, are considered trusted
input and honored, as opposed to if mailto:foo?attach=bar were given to
Thunderbird directly. xdg-email's conversion thus causes a misinterpretation
of trust by Thunderbird.

Thunderbird's intent to not support the ?attach parameter for untrusted clicks
from browsers, but still allow non-URI command-line specified attachments seems
a reasonable compromise. A solution which might let xdg-email practice the
same is to honor the attachment, and convert it to a Thunderbird command-line
parameter, if invoked as
xdg-email --attach foo mailto:bar
but discard it if invoked as
xdg-email mailto:bar?attach=foo

Indeed this seems to have been the intent from the description of the merge
request: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28

It looks like Reportbug's xdg-email backend uses the latter functionality, but
it would probably be a trivial change to switch to the --attach form.

Thank you a lot for clarifications. Things are now less vague. So the
issue takes place only with Trunderbird, does not? I requested[1]
Thunderbird developers to implement a warning that would give a hint
about forcibly attached files.

On our side, xdg-email could show a dialog box through Zenity to inform
a user before starting Thunderbird. Alas, xdg-utils have no
internationalization support yet and so the notice will be untranslated.

From that point, it is unclear for me what is the difference between
these two invocations. One who is able to call to xdg-email, could just
use the "--attach" argument. When I type these commands in terminal, the
difference is hardly visible.

I checked that browsers, Firfox and links, do not rely on xdg-utils, so
web-pages cannot exploit the issue. Atril uses GIO internally and does
not utilize xdg-email. However, LibreOffice Writer uses xdg-open while
clicking links. But xdg-open, for some reason, does not support
"?attach" parameter in mailto: scheme.

So I can't suggest a possible attack vector.


 [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425#c20

Hi,

Upstream has merged fixes for this issue:
https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/89

Regards,
Salvatore