* Colin Watson: > On Sat, Oct 02, 2004 at 02:59:13PM +0200, Noèl Köthe wrote: >> wget <= 1.9.1-4 (which is in sarge and frozen) had a security problem >> (#261755) which is fixed in -6 and -7 (right now in incoming). -5 had >> the first fixing patch but was not multibyte aware (#271931). >> Jan Minar <jjminar fastmail.fm> wrote the fixing patches (Thanks!). >> Upstream author doesn't respond to this and other things/mails since >> weeks so right now he is MIA.:( > > <mdz> Kamion: I think it's silly > <mdz> Jan Minar has filed a bunch of similar bugs > <mdz> I'm waiting for the one against cat(1) > <mdz> where it will allow arbitrary characters to be displayed on the > terminal > > Is this really a security issue?
I don't think programs should print data received from untrusted sources without properly quoting control characters (or replacing them). However, I don't think this should get the honor of a last-minute fix, especially if it hasn't been approved by upstream. Does the patch change a common code path? (The potential memory leak I criticized earlier apparently has been fixed.)