Package: latexdraw Version: 3.3.8+ds1-1 Tags: patch, security Dear Maintainer, the latexdraw package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability. If you need more information let me know. Thanks, MNZ
diff --git a/debian/latexdraw.mime b/debian/latexdraw.mime index 9671e6f..bbd25c0 100644 --- a/debian/latexdraw.mime +++ b/debian/latexdraw.mime @@ -1,2 +1,2 @@ -application/x-latexdraw-project; latexdraw %s; description="LaTeXDraw project"; nametemplate=%s.ldp; test=test -n "$DISPLAY" ; edit=latexdraw %s; compose=latexdraw '%s' -image/svg+xml; latexdraw '%s'; description="Scalable Vector Graphics"; nametemplate=%s.svg; test=test -n "$DISPLAY"; edit=latexdraw '%s'; compose=latexdraw '%s' +application/x-latexdraw-project; latexdraw %s; description="LaTeXDraw project"; nametemplate=%s.ldp; test=test -n "$DISPLAY" ; edit=latexdraw %s; compose=latexdraw %s +image/svg+xml; latexdraw %s; description="Scalable Vector Graphics"; nametemplate=%s.svg; test=test -n "$DISPLAY"; edit=latexdraw %s; compose=latexdraw %s
