[Pkg-pascal-devel] Bug#1068471: winff: shell injection
Jakub Wilk
jwilk at jwilk.net
Fri Apr 5 19:39:29 BST 2024
Package: winff
Version: 1.6.3+dfsg-2
Tags: security
As a follow-up to #1053373, WinFF still doesn't correctly escape
filenames it passes to shell.
To reproduce, try converting the file created by this command:
touch '\"; cowsay pwned >&2 #.mp3'
-- System Information:
Architecture: i386
Versions of packages winff depends on:
ii winff-qt 1.6.3+dfsg-2
--
Jakub Wilk
More information about the Pkg-pascal-devel
mailing list