Hi Daniel,

On sneon 26 Juny 2010, Daniel Friesel wrote:
> there exists an (IMHO rather unlikely, but still possible) arbitrary code
> execution hole in feh. All versions <= 1.7 down to at least the 1.3.4 in
> stable (I didn't check earlier ones) are affected.
> 
> See <http://seclists.org/oss-sec/2010/q2/332>.
> 
> In case the security team wants to patch the stable feh package, the
> following diff resolves the issue by removing the --wget-timestamp option,
> which is probably broken anyway:
> <https://derf.homelinux.org/git/feh/patch/?id=ae56ce24b10767800b1715e7e68b4
> 1c7d3571b4c>.

Thanks for reporting the issue to us. Especially the following convinces me 
that the issue is not likely enough to be fixed in a DSA:

| So if an attacker can trick the user into opening an image URL containing
| shell metacharacters with feh --wget-timestamp, he is able to execute
| arbitrary shell code with the rights of the user executing feh. This 
requires
| the URL to resolve to an existing file, however. Obfuscating the shell code
| with HTTP escapes (like %20) does not seem to work, and a redirect (via
| tinyurl or similar) to a malicious URL will also have no effect.

I propose the maintainer fixes it in unstable/testing and optionally releases 
a fix via stable-proposed-updates.


Cheers,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to