* Eduard Bloch: > Security team: please consider using the attached patch. It is a quick > fix which uses libstring-shellquote-perl on @ARGV instead of the stupid > doublequote protection before.
I'd rather like to avoid introducing a new dependency in a security update, but it's probably a bit difficult to properly implement the command pipes (not just a couple of one-liners). uudecode support also introduces a directory traversal vulnerability, but this could be considered a bug in uudecode, too. unshar support leads to direct code execution. I haven't checked the other unpackers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
