/usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code (CVE-2023-26314)

Debian Bug report logs - #972146
/usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code (CVE-2023-26314)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Tue, 13 Oct 2020 11:27:47 +0100

Package: mono-runtime-common
Version: 6.8.0.105+dfsg-3
Severity: important
File: /usr/share/applications/mono-runtime-common.desktop
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

/usr/share/applications/mono-runtime-common.desktop and
/usr/share/applications/mono-runtime-terminal.desktop are registered
as freedesktop.org MIME handlers for the application/x-ms-dos-executable
MIME type. They run the executable under mono(1) without any further
prompting. This means that doing normal "open a document" actions
will result in arbitrary code execution with normal user privileges:

- follow a web link to a downloadable file and accept the browser's
  offer to open it (mitigation: the user is prompted, and major
  browsers might special-case application/x-ms-dos-executable as
  particularly dangerous)
- follow a file:/// link in a non-web format that allows links, such
  as PDF
- open an email attachment
- xdg-desktop-portal forwarding an "open file" action from a Flatpak
  app (mitigation: this one involves user action to confirm which
  app should be used to open the file)

I don't think this is *necessarily* a security vulnerability, as such
(everything is doing what it is designed to do), but in 2020 it seems
deeply inadvisable. In particular, web browsers, email clients, and
sandboxed app frameworks like Flatpak and Snap, which are not generally
aware of the specifics of particular MIME types, have little choice but
to assume that opening a file is not normally arbitrary code execution.

The analogous MIME handling in Wine was removed in 2013
(<https://bugs.debian.org/327262>).

I would expect that Mono would either not handle
application/x-ms-dos-executable, or handle it with an application
that shows a "this is probably dangerous, are you sure?" prompt
first (like Wine used to do). I would personally prefer it
to not handle application/x-ms-dos-executable at all, due to
<https://en.wikipedia.org/wiki/Dancing_pigs>.

This was brought to my attention by a commit in GNOME's evince PDF
viewer which removes its "launch action" feature (part of the PDF spec,
but in practice mostly used by Windows malware) as a form of security
hardening. See <https://gitlab.gnome.org/GNOME/evince/-/issues/1333>
(I'm preparing an upload with the change referenced there), which uses
mono in its proof-of-concept.

Mitigation: GNOME users will find that org.gnome.FileRoller.desktop is a
preferred handler for application/x-ms-dos-executable. It isn't clear to
me how useful this really is (opening an executable as a zip-like archive
with "filenames" like .text and .bss seems more like a proof-of-concept
than something people would genuinely use) but at least it's harmless.
MATE's equivalent (fork?) of file-roller, engrampa, does the same.

Another mitigation: I was surprised to find that gnome-games-app also
associates itself with application/x-ms-dos-executable, alongside lots
of ROM formats (presumably so it can offer to run them in a sandbox
environment with Dosbox). This is hopefully OK, because gnome-games-app
hopefully has a lot more prompting and sandboxing than a general-purpose
program interpreter.

    smcv

Message #10 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: 972146@bugs.debian.org

Subject: Re: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Tue, 4 May 2021 22:30:57 +0200

Hi,

Any update on this? This is actually very dangerous.

$ xdg-open hello.exe
Hello World!
$ cp hello.exe hello.ΡDF # <- actually not a P but a uppercase rho
$ xdg-open hello.PDF
Hello World!

Gabriel

Message #23 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>, 972146@bugs.debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Tue, 17 Aug 2021 09:39:29 +0200

Hi Monio Maintainers,

On Tue, May 04, 2021 at 10:30:57PM +0200, Gabriel Corona wrote:
> Hi,
> 
> Any update on this? This is actually very dangerous.
> 
> $ xdg-open hello.exe
> Hello World!
> $ cp hello.exe hello.ΡDF # <- actually not a P but a uppercase rho
> $ xdg-open hello.PDF
> Hello World!

Friendly ping on this issue. This issue was ingored for bullseye
release, at least during the freeze. Any suggestion for it's further
handling?

Regards,
Salvatore

Message #28 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: 972146@bugs.debian.org

Subject: Re: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Wed, 10 Nov 2021 22:17:55 +0100

Hi,

Any help needed for this?

Regards,

Gabriel

Message #33 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: 972146@bugs.debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Mon, 5 Dec 2022 21:57:29 +0100

As a workaround, you should be able to disable this feature (and have 
the fix persist after a package update) with something like:

mkdir -p /usr/local/share/applications
cp /usr/share/applications/mono-runtime-*.desktop 
/usr/local/share/applications
sed -i 's/^Exec=.*/Exec=false/' 
/usr/local/share/applications/mono-runtime-*.desktop

Regards,

Gabriel

Message #38 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 972146@bugs.debian.org

Subject: mono: diff for NMU version 6.8.0.105+dfsg-3.3

Date: Wed, 14 Dec 2022 10:39:14 +0100

[Message part 1 (text/plain, inline)]

Control: tags 972146 + patch


Dear maintainer,

I've prepared an NMU for mono (versioned as 6.8.0.105+dfsg-3.3). The diff
is attached to this message.

Regards,
Salvatore

[mono-6.8.0.105+dfsg-3.3-nmu.diff (text/x-diff, attachment)]

Message #45 received at 972146-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 972146-close@bugs.debian.org

Subject: Bug#972146: fixed in mono 6.8.0.105+dfsg-3.3

Date: Wed, 14 Dec 2022 10:54:34 +0000

Source: mono
Source-Version: 6.8.0.105+dfsg-3.3
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
mono, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mono package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Dec 2022 14:33:03 +0100
Source: mono
Architecture: source
Version: 6.8.0.105+dfsg-3.3
Distribution: unstable
Urgency: medium
Maintainer: Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 972146
Changes:
 mono (6.8.0.105+dfsg-3.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Revert "Added desktop file for mono with and without a terminal window"
     (Closes: #972146)
Checksums-Sha1:
 a6328f64e65334e8efe493449680434b23e9d8dc 19796 mono_6.8.0.105+dfsg-3.3.dsc
 c8cf23f89c835a3defa9fd1652bc733eae9efe79 136532 mono_6.8.0.105+dfsg-3.3.debian.tar.xz
 1faf68312140181825c77a857369e2c884dd7678 4830 mono_6.8.0.105+dfsg-3.3_source.buildinfo
Checksums-Sha256:
 691db0a4657222707277448467e33f05f19fa8eb80bb91113828187cc6e2d544 19796 mono_6.8.0.105+dfsg-3.3.dsc
 0d62c1d1ef2f0b00420d41b0a30db6dd172f3f6bdd6cfc8a8abe8bff6a5d5fc8 136532 mono_6.8.0.105+dfsg-3.3.debian.tar.xz
 a244550c997733965abe6499a3f0bce52926e134ca0b60b12340e052b3f72248 4830 mono_6.8.0.105+dfsg-3.3_source.buildinfo
Files:
 300c8a5c48320caa038d5ef742f6a8e5 19796 cli-mono optional mono_6.8.0.105+dfsg-3.3.dsc
 154fbda976a4c7a362336030aed8ba4e 136532 cli-mono optional mono_6.8.0.105+dfsg-3.3.debian.tar.xz
 8c31bf51e44371e238f854abc5b4c97c 4830 cli-mono optional mono_6.8.0.105+dfsg-3.3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOTPzxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOTIQAJQsDM0YnWyE+20EYCHxtnHOOvPrZ7MR
rkhiz6blBSwCEed0voCR8el31O4lypX68hCzLG+izBDE98n6kzgspjMMa8hQzJi+
VnQOByWWLpnGleBA/JRpmC4BEkEn4yGJ3jmFgoIpE19dMqC+VplGZY/Ot8briBrY
KTJOnsg1/KTy8FfSzDdo7krpNhNGQ1zk262/uOQoIwSSBAjX72tEIrzCFe1SyqgV
p39zjIArnCEI501f5e62YFHLVuBuqG+02EdDSS2m0OCmAFZXy0PKtLqVmjhlm3D8
YhKFikkxXAOXqw/QVS5fb4JSLAVE32v8gCd6Cxk7moJJvEV4wkTcpc1anOdytY2B
S2YfypcjvjXk7FHKzmFLTWLIAPyFYXqdvJ+p7GxXt+Fvajxq/8O22dTWi6DyZ9IC
c+GwK1PSUvPH/7/UCSmN7lz3dyxHSaDxqZnN2Z2f7CstGffO3++Cop5+RAIaVszd
OSQnwWctfkumjqJuQnAXU9ntREFcFTSwgXYqPcer55HPPRPbclkI7niEo3Xtg5UL
wDnJPCi/6Go7pQzF26WZy1K60vzkgzcYOnp3GBFWdmPO0jLNSOQYuhDotH9wTX0p
w18cehFjVviBmNaj1IqDPMX2Ucg6bUTop0WP2JUSHZLHmFpwk8TBSAlkqZaFZ79+
esaOmULWu+pl
=84G1
-----END PGP SIGNATURE-----

Message #50 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: 972146@bugs.debian.org

Cc: security@debian.org

Subject: Re: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Thu, 16 Feb 2023 23:37:57 +0100

Hi,

Thanks for the patch!

This has been fixed in Debian testing and sid. However, stable is still 
affected. I believe it would make sense to port the patch to stable and 
allocate a CVE for this.

Regards,

Gabriel

Message #55 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>, 972146@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Fri, 17 Feb 2023 22:34:18 +0100

Hi Gabriel,

On Thu, Feb 16, 2023 at 11:37:57PM +0100, Gabriel Corona wrote:
> Hi,
> 
> Thanks for the patch!

Thanks for staying on top of the issue!
> 
> This has been fixed in Debian testing and sid. However, stable is still
> affected. I believe it would make sense to port the patch to stable and
> allocate a CVE for this.

The last upload to unstable as NMU was for me personally to near to
the point release before christmas. A while has passed, and have now
proposed the same change for bullseye as well, cf. #1031527. Thanks
for pinging again on it, much appreciated! So the issue will/should be
fixed as well with the upcoming point release.

There is no CVE assigned, if you feel strong about it, can you try to
get one allocated by MITRE via the cveform? I think we won't go trough
the needed workflow to assign a Debian specific CVE id for it. But we
will see what MITRE will respond on the request.

Regards,
Salvatore

Message #60 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 972146@bugs.debian.org, security@debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Sat, 18 Feb 2023 12:04:27 +0100

Hi!

> A while has passed, and have now proposed the same change for bullseye
> as well, cf. #1031527.

Great!

> There is no CVE assigned, if you feel strong about it, can you try to
> get one allocated by MITRE via the cveform? I think we won't go trough
> the needed workflow to assign a Debian specific CVE id for it. But we
> will see what MITRE will respond on the request.

I don't believe MITRE will accept such a request and redirect me to 
Debian [1].

I believe obtaining a CVE ID would be beneficial so that this issue may 
be tracked by downstream projects/distributions.

[1] https://www.cve.org/PartnerInformation/ListofPartners/partner/debian

Regards,

Gabriel

Message #65 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

Cc: 972146@bugs.debian.org, security@debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Sat, 18 Feb 2023 19:31:40 +0100

On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote:
> I believe obtaining a CVE ID would be beneficial so that this issue may be
> tracked by downstream projects/distributions.

All those distros were notified via your post to oss-security. You can
try cveform, if there's no assignment via that channel, that's about it.

In the past assigning CVEs for Debian was simple, but with some recent changes
it has become a complicated, time-consuming process and now we only do it
in select cases.

Cheers,
        Moritz

Message #70 received at 972146-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 972146-close@bugs.debian.org

Subject: Bug#972146: fixed in mono 6.8.0.105+dfsg-3.3~deb11u1

Date: Sat, 18 Feb 2023 19:32:08 +0000

Source: mono
Source-Version: 6.8.0.105+dfsg-3.3~deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
mono, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mono package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Feb 2023 06:30:39 +0100
Source: mono
Architecture: source
Version: 6.8.0.105+dfsg-3.3~deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 972146
Changes:
 mono (6.8.0.105+dfsg-3.3~deb11u1) bullseye; urgency=medium
 .
   * Rebuild for bullseye
 .
 mono (6.8.0.105+dfsg-3.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Revert "Added desktop file for mono with and without a terminal window"
     (Closes: #972146)
Checksums-Sha1:
 d299482a99e07ddf029a7af708349fbe7ce2c298 19828 mono_6.8.0.105+dfsg-3.3~deb11u1.dsc
 a1384f42844a91fe0694a53294b7ad80602b5a98 136612 mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz
 391ef1d5d5fed5e5d8eaf70723ea44ef2f3fc19a 8639 mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo
Checksums-Sha256:
 c80858ad5831da11c1d2f41d737d98ad1799837a03c736b02b2ff971e908a853 19828 mono_6.8.0.105+dfsg-3.3~deb11u1.dsc
 ead2d8f25eee6a9583e2d721cf5f1798ef8620b1f7c5d335ee825669a63e74b8 136612 mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz
 ad5250a2be26d40c9673a449ba04c016716de0eee8bd0e2db9aa2ffcfa38114e 8639 mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo
Files:
 59881fe1fbb0d47eee63b9cad4bb49a3 19828 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1.dsc
 07164271ff2a0471649877da2eea4801 136612 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1.debian.tar.xz
 97a141996471fbd9db3d6716550928ae 8639 cli-mono optional mono_6.8.0.105+dfsg-3.3~deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmPv7QtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWO0P/AihgX6WjxFqqnbIynGJwsICMriYVXmg
6c7CukOQSsVZFCnpZ7A3N/N+BSueics++yMNk3fy5yWV9FcQizlM28xp702b0Pan
h4phGEkoNYsSdfoe5ng98uI3KiiA7nxnG9B41XAmx3OM0ZjCDThkzTf7xostCPAT
o2Kdz3e2paEOVe/MAHKCKpLGGK3nTjwdWGxDDW0dxMzxgYL6QiI9Ov0oruXF0wN3
ApBAUIpzG08OCbmKDJtp1I6LtueKZZIQuCHPYiAOzC+pZ2uM3PSKlyEObsxC6p0c
80MsepKIeDlKLtcwe0EB7kbp9OMHWpeyZ9vIwISdnhUSb1oJ702AWtbL5egKxtGx
qfMX9lon/Gq7nNAL312MBHPmz6rEDM6mp0LvOpctN4c8HTx8cTVlvRVIwC9esVE2
iX+WpVtwZ5WGspTg8SjEfLIk5GyuAT+orRuoAyuK+/H5swO/8Qt1ZeLqXIYXsbaz
VqaliQjFnG5wj5k1sqojZATWIZB0HuRS+P1eo5VKnWDrMqWUcncCpdrO2KS3iS9i
7TPr+5qxx2xfh/dMAuI1baJ/6oSZpWq1M01MMcpd25XfTQzh7gumLJ70hamq7x9m
63Ill18FdVSGgsKIddPGXPKKmNtrs5x/kmSgbyrcx1dkaoZupnDWdsy7AAns2Fkg
l61u92DQGmtu
=KA6x
-----END PGP SIGNATURE-----

Message #77 received at 972146@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>, 972146@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code

Date: Wed, 22 Feb 2023 07:53:23 +0100

Hi Gabriel,

On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote:
> Hi!
> 
> > A while has passed, and have now proposed the same change for bullseye
> > as well, cf. #1031527.
> 
> Great!
> 
> > There is no CVE assigned, if you feel strong about it, can you try to
> > get one allocated by MITRE via the cveform? I think we won't go trough
> > the needed workflow to assign a Debian specific CVE id for it. But we
> > will see what MITRE will respond on the request.
> 
> I don't believe MITRE will accept such a request and redirect me to Debian
> [1].

I requested one directly from MITRE, it is now
https://www.cve.org/CVERecord?id=CVE-2023-26314 .

Regards,
Salvatore

Send a report that this bug log contains spam.