There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:
* https://bugs.launchpad.net/ubuntu-mate/+bug/1422402 mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED? However, after doing a code review I found other exploitable methods in the package management features of MATE Menu. So I started on mate-menu 5.6.3 and the following changes address the other exploitable code. + Removed package management features. + Removed useless imports and dead code. + Refactored some os.system() calls to Pythonic equivalents. Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here: * https://plus.google.com/103917631499285627130/posts/jkrMzsC3Brs The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it. I hope that explains my rationale. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1427742 Title: mate-menu package needs updating To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1427742/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
