Package: docx2txt Version: 1.4-4 Tags: patch, security Dear Maintainer, the docx2txt package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability. If you need more information let me know. Thanks, MNZ
diff --git a/debian/docx2txt.mime b/debian/docx2txt.mime index 1a486de..47a9ea2 100644 --- a/debian/docx2txt.mime +++ b/debian/docx2txt.mime @@ -1 +1 @@ -application/vnd.openxmlformats-officedocument.wordprocessingml.document; docx2txt '%s' - ; copiousoutput; description=Office Open XML Document +application/vnd.openxmlformats-officedocument.wordprocessingml.document; docx2txt %s - ; copiousoutput; description=Office Open XML Document
