Hi Daniel, On sneon 26 Juny 2010, Daniel Friesel wrote: > there exists an (IMHO rather unlikely, but still possible) arbitrary code > execution hole in feh. All versions <= 1.7 down to at least the 1.3.4 in > stable (I didn't check earlier ones) are affected. > > See <http://seclists.org/oss-sec/2010/q2/332>. > > In case the security team wants to patch the stable feh package, the > following diff resolves the issue by removing the --wget-timestamp option, > which is probably broken anyway: > <https://derf.homelinux.org/git/feh/patch/?id=ae56ce24b10767800b1715e7e68b4 > 1c7d3571b4c>.
Thanks for reporting the issue to us. Especially the following convinces me that the issue is not likely enough to be fixed in a DSA: | So if an attacker can trick the user into opening an image URL containing | shell metacharacters with feh --wget-timestamp, he is able to execute | arbitrary shell code with the rights of the user executing feh. This requires | the URL to resolve to an existing file, however. Obfuscating the shell code | with HTTP escapes (like %20) does not seem to work, and a redirect (via | tinyurl or similar) to a malicious URL will also have no effect. I propose the maintainer fixes it in unstable/testing and optionally releases a fix via stable-proposed-updates. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.

