Package: urlview Version: 0.9-23.1 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Because urlview passes the URL as an argument, the URL can be visible to everyone with commands like ps, while the URL may contain private information, e.g. used for anthentication. Thus its use is insecure, on machines with several users. So it should provide a way to pass the URL via a pipe. For instance, this can be useful with xclip (the user can then paste the URL to the web browser). Moreover, when the URL is to be passed as an arguemnt, a warning should be displayed by default about this issue. -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 6.3.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages urlview depends on: ii libc6 2.37-7 ii libncursesw6 6.4+20230625-2 ii libtinfo6 6.4+20230625-2 ii sensible-utils 0.0.20 Versions of packages urlview recommends: ii elinks [www-browser] 0.16.1.1-4 ii firefox [www-browser] 116.0-2 hi firefox-esr [www-browser] 92.0-local ii lynx [www-browser] 2.9.0dev.12-1 ii opera-stable [www-browser] 101.0.4843.33 ii w3m [www-browser] 0.5.3+git20230121-2 Versions of packages urlview suggests: ii lftp 4.9.2-2+b1 ii mutt 2.2.9-1+b1 ii wget 1.21.3-1+b2 -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)