Package: vlc Version: 0.8.1.svn20050314-1 During installation, a couple of dangerously broken mailcap-entries are installed to the /etc/mailcap
e.g.: (there are more than just this one) audio/mpeg; nametemplate=%s.mpg; vlc '%s'; description="MPEG Audio"; test=test -n "$DISPLAY" The broken thing common with all these lines is that "nametemplate=%s.ext" is the first token after the mime-type and the %s not quoted. This results in the following behaviour: $ touch "xxx echo foo.mp3" $ run-mailcap --debug=1 "xxx echo foo.mp3" ... - executing: nametemplate=xxx echo foo.mp3.mpg foo.mp3.mpg (the echo got executed!) With vlc installed, any command can be hidden in a filename, provided it ends with an extension for which one of vlc's mailcap-entries applies! "Hello.jpg (hundreds of blanks) rm -rf Mail .mp3" Whether such a hostile name is immediately visible to the user depends on user's filemanager and also on the creativity of the attacker choosing the name. PS: It is remotely possible that this bug is also co-caused by "run-mailcap" from package "mime-support", which perhaps might/should detect the "nametemplate=" even at that position. However, vlc is the only program that has the nametemplate-thing before the actual command. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
