Package: acetoneiso
Version: 2.4-3
Severity: serious
Tags: security
While looking through the code to see about replacing youtube-dl
(#1024231), I noticed the following in acetoneiso/sources/utube.h's
metacafe() function:
if (system ("cd $HOME/.acetoneiso/;wget
<http://www.arrakis.es/~rggi3/metacafe-dl/metacafe-dl> > /dev/null
2>&1")) {
yutubbodl.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ExeOwner | QFile::ExeGroup | QFile::ReadGroup | QFile::ReadOther
| QFile::ExeOther);
[...]
QFile utube_file( acetone_bin.path() + "/metacafe-dl");
[...]
UTube->start( utube_file.fileName(), QStringList() << "-o" <<
file << text );
Perhaps I'm wrong, but this appears to download and run whatever
<http://www.arrakis.es/~rggi3/metacafe-dl/metacafe-dl> is. That web
server no longer appears to be reachable, but that could be anything
and is not guaranteed to be DFSG-compliant and could even do something
malicious - we don't know.
That should probably be patched out of the program.
