Your message dated Sat, 11 Sep 2021 23:18:37 +0000
with message-id <[email protected]>
and subject line Bug#987694: fixed in k4dirstat 3.3.0-1
has caused the Debian Bug report #987694,
regarding desktop entry Exec key has quoted %-escapes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987694
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: k4dirstat
Version: 3.2.2-1
Tags: security
Dear Maintainer,
the k4dirstat package desktop entry (/usr/share/applications/k4dirstat.desktop)
has quoted %-escapes in the Exec key, which is not standard compliant:
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
"Field codes must not be used inside a quoted argument, the result of field
code expansion inside a quoted argument is undefined."
The Exec line should be changed from:
Exec=k4dirstat %i -qwindowtitle "%c" "%u"
to:
Exec=k4dirstat %i -qwindowtitle %c %u
I'm using the "security" tag because such line is used by update-mime(8) to
generate a mailcap entry in /etc/mailcap. The quotes are preserved in the
conversion, resulting in a mailcap rule with quoted %-escapes which is
vulnerable to shell command injection:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
(The lintian tag is not triggered by k4dirstat because the rule is generated.)
If you need more information let me know.
Thanks,
MNZ
--- End Message ---
--- Begin Message ---
Source: k4dirstat
Source-Version: 3.3.0-1
Done: Jerome Robert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
k4dirstat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jerome Robert <[email protected]> (supplier of updated k4dirstat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Sep 2021 09:53:24 +0200
Source: k4dirstat
Architecture: source
Version: 3.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Jerome Robert <[email protected]>
Changed-By: Jerome Robert <[email protected]>
Closes: 987694
Changes:
k4dirstat (3.3.0-1) unstable; urgency=medium
.
* New upstream version 3.3.0
- Show free space in the status bar
- Refresh tree after deleting a file
- Fix a crash when clicking on the name column
- Quote %-escapes strings in the .desktop Exec key (closes: #987694)
* Bump Standards-Version
Checksums-Sha1:
de855a64424108109d0ce4ff1d25bde115f7c141 1998 k4dirstat_3.3.0-1.dsc
ab59cb226889388735346040488f49e516b538a7 398894 k4dirstat_3.3.0.orig.tar.bz2
7fc45531b3e5132f6666adad494aefc4e22561dd 3120 k4dirstat_3.3.0-1.debian.tar.xz
1a95e02c91ffb6f0df9906834c008f2b146c77f0 14520
k4dirstat_3.3.0-1_source.buildinfo
Checksums-Sha256:
5834491c52da4a16d20a0056bde941ad26152f048873ad389bf234a9b53af71f 1998
k4dirstat_3.3.0-1.dsc
53db2bd6dfc9b9c3142ff2647c2104682c60a64fbd516b40665686478d6fb8c6 398894
k4dirstat_3.3.0.orig.tar.bz2
373bee69a29775cebddb323a2bfa85e097b12775256e950a33543b2949fd32b3 3120
k4dirstat_3.3.0-1.debian.tar.xz
9ecfda39cffa918d5c8286bea330114b662acb8e9b22e867ebf9a5e5773250b8 14520
k4dirstat_3.3.0-1_source.buildinfo
Files:
0f664e4adec7372226ba42b0dab4e583 1998 misc optional k4dirstat_3.3.0-1.dsc
25e19a97e109455ffe3256a8e13c3490 398894 misc optional
k4dirstat_3.3.0.orig.tar.bz2
bee2a9c87b26107fae608aae74c7fd94 3120 misc optional
k4dirstat_3.3.0-1.debian.tar.xz
5c2af1635e06dbf37322c6a14181440c 14520 misc optional
k4dirstat_3.3.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCAAtFiEEy89k8fa3rclNjyokyeVeL63I9LkFAmE9NBoPHHNtckBkZWJp
YW4ub3JnAAoJEMnlXi+tyPS58gcQAJe8OVEUWLIY0wRs9OJrSW12IaYIUb4/xmq5
V/jjqNh0bVHLVN9Zk4vHFvL+h/9M3eOdRtuSHmztmsgm5BJQP6+DEuCRja8i7ZAd
EE/GgrvMeuLzw2qRm9i2ee//+nG88BwjEGg+EnBE4nuEFNigOjOmLQgF8/Ysn7Jd
t83V/2nBsDKoeKS1HCAqFuibQnrqRS389IRt501voR4t65HzRLmrZPQgaZTa/d6y
+9tTd6MbXNM2NH8og+rK0BY0entgSoaH+Rc3QRZYNPpikV3qfFOShCDCiy/UyCnZ
FkIBY36+6u1FWcWZ7OdEkD6HIrCjUNAOMfXa8GIJ4TrRQb77XsAFyseEymXQUwJs
QObpTkHd9rtJ0CcmxwkpwHvXcNSMSpBYqV/45ZOe9nL3ScC2tA+jw6HDqfxgxadZ
R0iRIofVYK99SDFmp4O1r8iNuQJh/mmf6sgKoW3+lmgQepd7L39WPaq3E5S8seDk
dK7+S29zoKRCDAESjeN98ANoEoAH5a/5DAvlbucVmAfvgi/Vghet9V1292/XBE9l
AHL7J2whbSxQRUaqvPypno2/CltUdIciChKjkeiwtIcQvt8ztsB3OhZDUABwpOZc
bv9wn2ZlrondyjnB9vhFK5x2Ialrl7tTpXnyfYl6g8Z7ti1Ytj+ayC3O95hrFClM
6Y1L5+n0
=7Cq8
-----END PGP SIGNATURE-----
--- End Message ---
