Bug#982952: flowblade has mailcap entries with quoted %-escapes
Package: flowblade
Version: 2.8-1
Tags: security
Dear Maintainer,
the flowblade package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.
/usr/lib/mime/packages/flowblade should be changed from:
application/vnd.flowblade-project; /usr/bin/flowblade '%s'; test=test -n "$DISPLAY"; priority=5
to:
application/vnd.flowblade-project; /usr/bin/flowblade %s; test=test -n "$DISPLAY"; priority=5
If you need more information let me know.
Thanks,
MNZ
Reply to: