Package: gocr
Version: 0.41-1
Severity: minor
Tags: security
--- Please enter the report below this line. ---
Hi, gocr is calling a child process with sh -c and expands the argument
needlessly.
[10:33] ~ => strace -ff -e fork,execve gocr
big-in-japan-\(alphaville-cover\).png
execve("/usr/bin/gocr", ["gocr", "big-in-japan-(alphaville-cover)."...], [/* 31
vars */]) = 0
Process 14364 attached
[pid 14364] execve("/bin/sh", ["sh", "-c", "pngtopnm
big-in-japan-(alphavill"...], [/* 31 vars */]) = 0
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `pngtopnm big-in-japan-(alphaville-cover).png'
Process 14364 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
(null): EOF / read error reading magic number
Process 14363 detached
I can work around this easily by renaming the file ;-), but it could be a
security issue in other cases so I'm tagging it as such.
Regards,
Zoran
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.22-rc3-ck1-suspend2
Debian Release: lenny/sid
700 testing debian.iskon.hr
500 lenny zap.tartarus.org
500 feisty wine.budgetdedicated.com
500 experimental nekkar.carnet.hr
500 experimental jurina.srce.hr
500 debian-unstable download.tuxfamily.org
400 stable www.debian-multimedia.org
400 stable debian.iskon.hr
100 unstable www.debian-multimedia.org
100 unstable debian.iskon.hr
1 experimental debian.iskon.hr
--- Package information. ---
Depends (Version) | Installed
============================-+-=============
libc6 (>= 2.3.6-6) | 2.5-9+b1
libnetpbm10 | 2:10.0-11
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
