Package: stopmotion Version: 0.8.5-2 Tags: patch, security Dear Maintainer, the stopmotion package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability. If you need more information let me know. Thanks, MNZ
diff -ru a/debian/stopmotion.mime b/debian/stopmotion.mime --- a/debian/stopmotion.mime 2019-11-19 16:43:10.000000000 +0100 +++ b/debian/stopmotion.mime 2021-04-23 15:54:02.397650992 +0200 @@ -1 +1 @@ -application/x-stopmotion; /usr/bin/stopmotion -caption "Animation Creator" '%s'; nametemplate='%s.sto'; test=test "$DISPLAY" != ""; priority=9 +application/x-stopmotion; /usr/bin/stopmotion -caption "Animation Creator" %s; nametemplate=%s.sto; test=test "$DISPLAY" != ""; priority=9
