Package: chm2pdf
Version: 0.9.1-1.1
Followup-For: Bug #488033
This is a security problem. Below are a couple reasons I think this.
Reason #1: As I feared, chm2pdf passes most of the filename to a
shell without escaping it:
/usr/bin/chm2pdf:115: os.system('enum_chmLib '+filename+' >
'+CHM2PDF_WORK_DIR+'/urlslist.txt')
CHM2PDF_WORK_DIR has the basename of the input file in it.
Reason #2: The patch on the ubuntu bug is not to fix this, but to
escape paths found within the document. I haven't confirmed that
these bugs are a security issue, but it makes me worry.
This seems not to have been fixed in the 4 years since being
reported. Upstream was notified years ago, and someone suggested
that that they don't care... but I think that upstream doesn't
exist. Their last commit is from almost 4 years ago. I just skimmed
the last year of archives on their mailing list, and nothing seems
to be from a project member (it's almost all bug reports.)
So, while I'm happy to have a pdf (it did work on this file once I
renamed it) I think this program should be removed from debian.
Unless of course somebody wants to jump up and fix the security
issues and become the new upstream.
Thank you for considering.
- Jason
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages chm2pdf depends on:
ii htmldoc 1.8.27-7
ii libchm-bin 2:0.40a-2
ii python 2.7.2-10
ii python-chm 0.8.4-1+b2
ii python-support 1.0.14
chm2pdf recommends no packages.
Versions of packages chm2pdf suggests:
pn python-beautifulsoup <none>
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
