[Pkg-gmagick-im-team] Bug#987691: imagemagick has mailcap entries with quoted %-escapes
Marriott NZ
marriott99 at gmx.com
Tue Apr 27 22:30:48 BST 2021
Package: imagemagick
Version: 8:6.9.11.60+dfsg-1.3
Tags: patch, security
Dear Maintainer,
the imagemagick package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.
If you need more information let me know.
Thanks,
MNZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imagemagick.diff
Type: text/x-patch
Size: 8586 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20210427/0e788e5d/attachment.bin>
More information about the Pkg-gmagick-im-team
mailing list