Package: yarssr
Version: 0.2.2-3
Severity: important
The fix for CVE-2007-5837 (bug #448721) splits the arguments up, but
keeps them quoted. Thus, the browser sees a URL in double quotes, and
gets thoroughly confused, erroring out.
Here's a patch which seems to cover all cases I can think of, though my
Perl isn't too sharp.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-14-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages yarssr depends on:
ii libgnome2-perl 1.040-1 Perl interface to the GNOME librar
ii libgnome2-vfs-perl 1.080-1 Perl interface to the 2.x series o
ii libgtk2-gladexml-perl 1.006-1 Perl interface to use user interfa
ii libgtk2-perl 1:1.161-1 Perl interface to the 2.x series o
ii libgtk2-trayicon-perl 0.04-1 Perl interface to fill the system
ii libxml-rss-perl 1.31-2 Perl module for managing RSS (RDF
ii perl 5.8.8-12 Larry Wall's Practical Extraction
yarssr recommends no packages.
-- no debconf information
--- yarssr-0.2.2/lib/Yarssr/GUI.pm 2005-03-19 13:52:35.000000000 +1100
+++ GUI.pm 2007-12-04 09:59:06.000000000 +1100
@@ -162,9 +162,15 @@
);
}
else {
- my $b = Yarssr::Config->get_browser;
- $b .= " \"$url\"" unless $b =~ s/\%s/"$url"/;
- exec($b) or warn "unable to launch browser\n";
+ my @b = split(' ', Yarssr::Config->get_browser);
+ if (grep(/\%s/, @b))
+ {
+ map {grep(s/\%s/$url/, $_) => $_} @b;
+ }
+ else {
+ push(@b, $url);
+ }
+ exec(@b) or warn "unable to launch browser\n";
exit;
}
}
