[Pkg-ayatana-devel] Bug#895479: ayatana-indicator-power: runs gnome-power-statistics but does not depend on it
Simon McVittie
smcv at debian.org
Wed Apr 11 23:41:28 BST 2018
Package: ayatana-indicator-power
Version: 2.0.93-2
Severity: normal
While checking what gnome-power-manager does and whether it's still a
desirable package to have, I tried asking codesearch.debian.net
what runs its one remaining binary (gnome-power-statistics). It appears
that ayatana-indicator-power tries to run gnome-power-statistics in
GNOME and Unity sessions. However, it does not have a (strong or weak)
dependency on the gnome-power-manager package, and neither do GNOME
metapackages other than gnome-session-flashback.
(I'm also a little concerned that this
char *cmd = g_strconcat ("gnome-power-statistics", " --device ",
g_variant_get_string (param, NULL), NULL);
execute_command (cmd);
might be susceptible to unintended shell injection. Please consider
using an argv-based API like GSubprocess, or at least quote arguments
that are interpolated into a /bin/sh command with g_shell_quote().)
smcv
More information about the Pkg-ayatana-devel
mailing list