The following flaw was discovered: From Debian, see References. Certain crafted file names may contain non-escaped shell metacharacters which can lead to arbitrary code execution when expanded. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470863 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397125
feh-1.3.4-8.fc8 has been submitted as an update for Fedora 8
Thanks for the report, this has been fixed by the following builds: feh-1.3.4-8.fc7 feh-1.3.4-8.fc8 feh-1.3.4-8.fc9 A mail has been send to rel-eng to include the fc9 version in F-9, updates have been created in bodhi for the other 2. https://admin.fedoraproject.org/updates/F7/pending/feh-1.3.4-8.fc7 https://admin.fedoraproject.org/updates/F8/pending/feh-1.3.4-8.fc8
feh-1.3.4-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
feh-1.3.4-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Reporter changed to security-response-team by request of Jay Turner.