On Mon, Dec 03, 2007 at 11:31:27AM +0100, Gerd Hoffmann wrote:
> Moritz Muehlenhoff wrote:
> > Since fbi is not suitable for non-interactive use and the filename would
> > need to contain the commands to be executed I don't consider this a
> > security problem. Still, it should be fixed.
> >
> It is at least quite hard to exploit remotely. Even when configuring
> fbi as image viewer in your text mode browser you'll usually end up with
> an mkstemp()-generated, /tmp/foo-xrks73w style filename being passed to
> fbi ...
> > CCing upstream. Gerd, the popen() call needs to be sanitised or replaced
> >
> Fixed in cvs, patch attached for reference.
Thanks Gerd. Do you have fbi release plans within the next months? Otherwise
I'll apply the patch to the Debian package.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
