[Secure-testing-team] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

[Christoph Anton Mitterer]

Package: mime-support
Version: 3.52-1
Severity: critical
Tags: security
Justification: breaks unrelated software


Hi.

In 3.52-1 you removed application/x-httpd-* to close #589384.

This happened without any notice to the NEWS files and I really
wonder whether any though has been spent on which tremendous
security effects this can have.

Given that most people (reasonably) rely on /etc/mime.types
to determine the MIME type for files e.g. with Apache removal
of the above means e.g. that php scripts are no longer determined
as such, but now diretcly shown as text files.

With all secruity effects you can think of and all you even can't
think of.
And of course it breaks countless of working installations
using e.g. php.


a) If you make such a tremendous change you have to announce it
in the release file.


b) Removing the type is definitly the wrong decision.
Apache provides many means to change the handlers and if all that
shouldn't work (which I doubt) on can simply disable the use of
/etc/mime.types.
It's not the business of mime.type to please any specifc user,...
like it seems to me with the aforementioned bug.
Nor should it be mime.type's business to please any software if that
was borken (but as said, apache is not).



Obviously application/x-* are not official flags, but if that was
the reason we'd have to remove much more than just the php ones.



Cheers,
Chris.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

mime-support depends on no packages.

Versions of packages mime-support recommends:
ii  file  5.11-1

mime-support suggests no packages.

-- no debconf information