Hi security, there is a problem with the picocom terminal emulator:
picocom before 2.0 has a command injection vulnerability in the 'send and receive file' command because the command line is executed by /bin/sh unsafely.
(https://security-tracker.debian.org/tracker/CVE-2015-9059) The bug report https://bugs.debian.org/863671 contains a patch, but I'm not sure whether it does what it should. A test case would be wonderful! If nobody can review or test the patch, there are other options: - remove picocom 1.7 from stretch (2.2 is in experimental and does not have the vulnerability, it will be in unstable ASAP and will be backported to both Stretch and Jessie) - just disable 'send and receive file', which nowadays is not very important anymore, I need to check how easy this is, but I'm optimistic - document the problem, but ignore it otherwise, because not many people will use file transfer anyway - this is neither heartbleed nor shellshock; no fancy name, no logo TIA & Cheers
