Bug#982951: vorbis-tools has mailcap entries with quoted %-escapes
Package: vorbis-tools
Version: 1.4.0-11
Tags: patch, security
Dear Maintainer,
the vorbis-tools package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.
If you need more information let me know.
Thanks,
MNZ
diff --git a/debian/vorbis-tools.mime b/debian/vorbis-tools.mime
index 7f9bca8..1398ae9 100644
--- a/debian/vorbis-tools.mime
+++ b/debian/vorbis-tools.mime
@@ -1,5 +1,5 @@
application/ogg; ogg123 %s; description="Ogg Vorbis multimedia format"; priority=5
audio/ogg; ogg123 %s; description="Ogg Vorbis multimedia format"; priority=5
-application/ogg; ogginfo '%s'; copiousoutput; description="Ogg Vorbis multimedia format"; priority=1
-audio/ogg; ogginfo '%s'; copiousoutput; priority=1
-video/ogg; ogginfo '%s'; copiousoutput; priority=1
+application/ogg; ogginfo %s; copiousoutput; description="Ogg Vorbis multimedia format"; priority=1
+audio/ogg; ogginfo %s; copiousoutput; priority=1
+video/ogg; ogginfo %s; copiousoutput; priority=1
Reply to: