Package: yarssr Version: 0.2.2-3 Severity: important
The fix for CVE-2007-5837 (bug #448721) splits the arguments up, but keeps them quoted. Thus, the browser sees a URL in double quotes, and gets thoroughly confused, erroring out. Here's a patch which seems to cover all cases I can think of, though my Perl isn't too sharp. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-14-generic (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages yarssr depends on: ii libgnome2-perl 1.040-1 Perl interface to the GNOME librar ii libgnome2-vfs-perl 1.080-1 Perl interface to the 2.x series o ii libgtk2-gladexml-perl 1.006-1 Perl interface to use user interfa ii libgtk2-perl 1:1.161-1 Perl interface to the 2.x series o ii libgtk2-trayicon-perl 0.04-1 Perl interface to fill the system ii libxml-rss-perl 1.31-2 Perl module for managing RSS (RDF ii perl 5.8.8-12 Larry Wall's Practical Extraction yarssr recommends no packages. -- no debconf information
--- yarssr-0.2.2/lib/Yarssr/GUI.pm 2005-03-19 13:52:35.000000000 +1100 +++ GUI.pm 2007-12-04 09:59:06.000000000 +1100 @@ -162,9 +162,15 @@ ); } else { - my $b = Yarssr::Config->get_browser; - $b .= " \"$url\"" unless $b =~ s/\%s/"$url"/; - exec($b) or warn "unable to launch browser\n"; + my @b = split(' ', Yarssr::Config->get_browser); + if (grep(/\%s/, @b)) + { + map {grep(s/\%s/$url/, $_) => $_} @b; + } + else { + push(@b, $url); + } + exec(@b) or warn "unable to launch browser\n"; exit; } }