Package: smpeg-plaympeg Version: 0.4.5+cvs20030824-9 Tags: patch, security Dear Maintainer, the smpeg-plaympeg package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability. If you need more information let me know. Thanks, MNZ
diff --git a/debian/smpeg-gtv.mime b/debian/smpeg-gtv.mime index 36d543c..3833e00 100644 --- a/debian/smpeg-gtv.mime +++ b/debian/smpeg-gtv.mime @@ -1,2 +1,2 @@ -audio/mpeg; /usr/bin/gtv '%s'; description="MPEG audio files"; test=test -n "$DISPLAY"; priority=2 -video/mpeg; /usr/bin/gtv '%s'; description="MPEG video files"; test=test -n "$DISPLAY"; priority=7 +audio/mpeg; /usr/bin/gtv %s; description="MPEG audio files"; test=test -n "$DISPLAY"; priority=2 +video/mpeg; /usr/bin/gtv %s; description="MPEG video files"; test=test -n "$DISPLAY"; priority=7 diff --git a/debian/smpeg-plaympeg.mime b/debian/smpeg-plaympeg.mime index 4d97bac..7bdc0f5 100644 --- a/debian/smpeg-plaympeg.mime +++ b/debian/smpeg-plaympeg.mime @@ -1,2 +1,2 @@ -audio/mpeg; /usr/bin/plaympeg '%s'; description="MPEG audio files"; priority=2 -video/mpeg; /usr/bin/plaympeg '%s'; description="MPEG video files"; test=test -n "$DISPLAY"; priority=7 +audio/mpeg; /usr/bin/plaympeg %s; description="MPEG audio files"; priority=2 +video/mpeg; /usr/bin/plaympeg %s; description="MPEG video files"; test=test -n "$DISPLAY"; priority=7