xdg-email changes break simple-scan email functionality

Bug #1909941 reported by Andy Juniper on 2021-01-03
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
xdg-utils (Ubuntu)
Undecided
Unassigned

Bug Description

Observed on 16.04 to 20.04
xdg-email no longer actions "-attach filename" arguments when running thunderbird following recent security fixes to protect against malicious use from browser ( https://security-tracker.debian.org/tracker/CVE-2020-27748 and https://ubuntu.com/security/CVE-2020-27748 )

This breaks simple-scan "send by email" functionality and other applications too.

https://gitlab.gnome.org/GNOME/simple-scan/-/issues/216
https://forums.linuxmint.com/viewtopic.php?f=208&t=336053
https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 (see comments)

Nicholas Guriev (mymedia) wrote :

There is an old similar bug, #1540399, yet it is unclear how it relates with the current one.

Andy Juniper (q-linux) wrote :

This is different to the old bug. Prior to the recent change to xdg-email, simple scan "send by email" was working fine.

I think that the problem is because xdg-email assembles command line arguments such as -attach to form a mailto: URL and passes that to run_thunderbird, which recently got changed to drop the attachment field from the mailto: url (I think on the assumption that the mailto: url could only come from a browser click).

The proper fix would probably be to break any command line mailto: URL down into component parts and drop any "attach" argument before reassembling as today, and reinstate the code removed in the recent change.

In the above simple-scan bug report I added a patch which just reinstated the original code but only if the caller is not Chrome/Chromium as those are the only browsers in question in my environment (Firefox appears to call Thunderbird directly).

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xdg-utils (Ubuntu):
status: New → Confirmed
Leonidas S. Barbosa (leosilvab) wrote :

I'll revert that patch/update and issue a new one asap.
Thanks

Leonidas S. Barbosa (leosilvab) wrote :

Hi,
There are new version of this package in security-proposed [1] with the patch/update reverted, feel free to test it/check if the functionality is back. thanks

[1]https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xdg-utils&field.status_filter=published&field.series_filter=

Dik (dikiy-evrej) wrote :

I'm using claws-mail, and it is broken too.

Dik (dikiy-evrej) wrote :

I tried the updated version of a package. It is still broken.

hi @Dik, could you please provide the package, the release and version. Also, any steps in how to reproduce.

In regarding xdg-utils the whole patch was reverted/delete, so I don't see how it can be related.

Dik (dikiy-evrej) wrote :

$ dpkg-query -s xdg-utils
Package: xdg-utils
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 320
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Multi-Arch: foreign
Version: 1.1.3-2ubuntu1.20.04.2

$ dpkg-query -s claws-mail
Package: claws-mail
Status: install ok installed
Priority: optional
Section: mail
Installed-Size: 4280
Maintainer: Ubuntu Developers <email address hidden>
Architecture: amd64
Multi-Arch: foreign
Version: 3.17.5-2

$xdg-email --attach Documents/file.jpg

Dik (dikiy-evrej) wrote :

claws-mail reports "File P\ doesn't exist or permission denied". Moreover, when I try to send from simple-scan, the same error occurs + opens browser dillo with a URL "mailto:?filename=xxxxxx.pdf"

Dik (dikiy-evrej) wrote :

I mean the URL of dillo is: mailto:?attach=/tmp/simple-scan-IMU3W0/scan.pdf

I did tried in my focal VM with both xdg-utils and claws-mail and it worked here (see attached image). In claws it opened a gtk stuff, with settings steps and a window with the message to be composed and the attached file.

Maybe someone else in this bug/thread has any idea what is happening.
As the security update was already reverted I don't see any ways it can be security related with the sec update.

It seems another error in claws-mail, not related to the xdg-utils
vulnerability. Please file a separate bug against the claws-mail
package. I ran "xdg-email --attach test.txt <email address hidden>" via
strace and had the following in the terminal.

ubuntu@ubuntu:~$ LANG=C.UTF-8 apt-cache policy xdg-utils claws-mail
xdg-utils:
  Installed: 1.1.3-2ubuntu1.20.04.2
  Candidate: 1.1.3-2ubuntu1.20.04.2
  Version table:
 *** 1.1.3-2ubuntu1.20.04.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.3-2ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
claws-mail:
  Installed: 3.17.5-2
  Candidate: 3.17.5-2
  Version table:
 *** 3.17.5-2 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

ubuntu@ubuntu:~$ echo qwerty >test.txt
ubuntu@ubuntu:~$ strace -s 256 -f -qq -e 'trace=%process' -e 'signal=!all' -P `which claws-mail` env LANG=C.UTF-8 xdg-email --attach test.txt <email address hidden>
execve("/usr/bin/claws-mail", ["claws-mail", "mailto:<email address hidden>?attach=/home/ubuntu/test.txt"], 0x555673c99df0 /* 51 vars */) = 0
Gtk-Message: 19:53:06.153: Failed to load module "canberra-gtk-module"
/home/ubuntu/.claws-mail/toolbar_compose.xml: fopen: No such file or directory

(claws-mail:6012): Claws-Mail-WARNING **: 19:53:06.754: can't open signature file: '/home/ubuntu/.signature'
ubuntu@ubuntu:~$

I had changed default mail application to Claws Mail. It displayed a
strange error message, "File Reply-To: doesn't exist or permission
denied". See my attached screenshot.

Nicholas Guriev (mymedia) wrote :

On Tue, 2021-01-12 at 17:30 +0000, Dik wrote:
> claws-mail reports "File P\ doesn't exist or permission denied".
> Moreover, when I try to send from simple-scan, the same error occurs +
> opens browser dillo with a URL "mailto:?filename=xxxxxx.pdf"

Please also keep in mind that xdg-email behaves differently depending on
the XDG_CURRENT_DESKTOP environment variable. Which DE do you use? You
can find out what command is actually executed using "bash -x" or even
strace. And note, with running browser, there is another upstream issue.

  https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/13

Or more precisely, it is a merge request.

Dik (dikiy-evrej) wrote :

XDG_CURRENT_DESKTOP is set to i3, But under MATE I have this problem too.

Dik (dikiy-evrej) wrote :

I figured out, that claws-mail cant handle the command

claws-mail --compose "mailto:?attach=/home/dik/tmp/file.key"

Dik (dikiy-evrej) wrote :

seems, that support of attach was removed from thunderbird and claws-mail of security reasons. So xdg-email needs to change the command line to invoke an e-mail-Program

Andy Juniper (q-linux) wrote :

@dikiy-evrej I don't think that the recent change was in Thunderbird. The recent change here was to drop the attach= parameter from the mailto URL passed to Thunderbird, so that if you click a malicious mailto link in e.g. Chrome, it can't trick you into sending arbitrary files.

Problem was that xdg-email parses its command line arguments - supplied by e.g. simple-scan - and converts them to a mailto URL with attach= parameter - which it then drops before calling TB.

My hack in the simple-scan bug above is to only drop the attach parameter if the caller is Chrome or Chromium as those are the browsers used in my environment, but a better fix is required...

Andy Juniper (q-linux) wrote :

Have verified that on 16.04, simple-scan to email now works again following the reversion of the original fix.

Dik (dikiy-evrej) wrote :

And 18.04? (focal)

Dik (dikiy-evrej) wrote :

Just tested claws-mail 3.17.8 -- it works. But 3.17.5 -- doesn't. So, seems to be a problem in claws-mail

Andy Juniper (q-linux) wrote :

I don't have an 18.04 to test but 20.04 is OK with Thunderbird again.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers