Red Hat Bugzilla – Bug 441527
feh shell command injection with crafted file names
Last modified: 2009-10-23 15:06:54 EDT
The following flaw was discovered:
From Debian, see References. Certain crafted file names may contain non-escaped shell metacharacters which can lead to arbitrary code execution when expanded.
feh-1.3.4-8.fc8 has been submitted as an update for Fedora 8
Thanks for the report, this has been fixed by the following builds:
A mail has been send to rel-eng to include the fc9 version in F-9, updates have
been created in bodhi for the other 2.
feh-1.3.4-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
feh-1.3.4-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Reporter changed to email@example.com by request of Jay Turner.