Package: findimagedupes Version: 0.1.3-7 Severity: grave
findimagedupes will execute code stored in the names of the files. This allows arbitrary code to be executed as the user by anyone who can add files to a directory findimagedupes is run on; hence this is a security hole and is grave. An example: create a file named `touch a` run imagedupes after imagedupes is done, there will be a file named a in the working directory. For a root exploit when findimagedupes is being run as root, change the name of the original file to `mv /home/evil/file /etc/passwd`. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
