More info: this is not an upstream issue, it's caused by the handle-removed-working-dir.patch which is an attempt to fix #667038. Besides chopping off the last path component of any cd ../name command, it also does sfprintf(shp->strbuf,oldpwd) which is a problem if oldpwd contains printf formatting escapes, which probably could be exploited. Workaround is to remove handle-removed-working-dir.patch which would then reopen #667038.
-Zoltan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
