Package: k4dirstat Version: 3.2.2-1 Tags: security Dear Maintainer, the k4dirstat package desktop entry (/usr/share/applications/k4dirstat.desktop) has quoted %-escapes in the Exec key, which is not standard compliant: https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html "Field codes must not be used inside a quoted argument, the result of field code expansion inside a quoted argument is undefined."
The Exec line should be changed from: Exec=k4dirstat %i -qwindowtitle "%c" "%u" to: Exec=k4dirstat %i -qwindowtitle %c %u I'm using the "security" tag because such line is used by update-mime(8) to generate a mailcap entry in /etc/mailcap. The quotes are preserved in the conversion, resulting in a mailcap rule with quoted %-escapes which is vulnerable to shell command injection: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html (The lintian tag is not triggered by k4dirstat because the rule is generated.) If you need more information let me know. Thanks, MNZ