Jakub Wilk wrote:
> Package: fbi
> Version: 2.05-2
> Severity: normal
>
> $ F='"; echo buggy > buggy.log; : "'
> $ touch "$F"
> $ fbi "$F" 2>/dev/null
> $ cat buggy.log
> buggy
Confirmed. The problems is the use of popen() if an image is displayed
which needs to be converted by imagemagick:
if (NULL == loader) {
/* no loader found, try to use ImageMagick's convert */
snprintf(command,sizeof(command),
"convert -depth 8 \"%s\" ppm:-",filename);
if (NULL == (fp = popen(command,"r")))
return NULL;
loader = &ppm_loader;
}
Since fbi is not suitable for non-interactive use and the filename would
need to contain the commands to be executed I don't consider this a
security problem. Still, it should be fixed.
CCing upstream. Gerd, the popen() call needs to be sanitised or replaced.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
