Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
There was a recent non-critical CVE issued for most: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 https://security-tracker.debian.org/tracker/CVE-2016-1253 The fix (a debdiff is attached) is this on-liner that changes single quotes to double quotes. Regards, Mako -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -u most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog +++ most-5.0.0a/debian/changelog @@ -1,3 +1,11 @@ +most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high + + * lzma-support.patch: + - Fix CVE-2016-1253: shell injection attack when opening + lzma-compressed files (Closes: #848132) + + -- Benjamin Mako Hill <m...@debian.org> Tue, 20 Dec 2016 16:52:16 -0800 + most (5.0.0a-2.3) unstable; urgency=low * Non-maintainer upload. diff -u most-5.0.0a/src/file.h most-5.0.0a/src/file.h --- most-5.0.0a/src/file.h +++ most-5.0.0a/src/file.h @@ -22,7 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" +#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int);
