Red Hat Bugzilla – Bug 608808
CVE-2010-2246 Feh: Arbitrary code execution by viewing http images with reload set
Last modified: 2015-07-31 02:28:25 EDT
An improper input sanitization flaw was found in the way feh,
the versatile and fast image viewer using imlib2, escaped URLs
to remote image files, to be reloaded. If a remote attacker could
trick the local user into opening a specially-crafted URL (where
that URL led to a valid file), it could lead to arbitrary code
execution with the privileges of the user running feh.
 feh --wget-timestamp 'https://derf.homelinux.org/stuff/bar`touch lol_hax`.jpg'
This issue affects the versions of the feh package, as shipped
with Fedora releases of 12 and 13.
Created feh tracking bugs for this issue
Affects: fedora-all [bug 608809]
CVE identifier of CVE-2010-2246 has been assigned to this.