[Pkg-mc-devel] Bug#594647: /etc/mc/mc.menu is badly underquoted

Adam Borowski kilobyte at angband.pl
Sat Aug 28 00:33:44 UTC 2010 

Package: mc
Version: 3:4.7.0.8-1
Severity: normal

Many of the commands inside /etc/mc/mc.menu are unquoted or improperly
quoted.  This leads to problems for file names that contain spaces or other
special characters.  Usually, this leads to just failing to operate on a
file, but there's at least one security issue.

If you have a file named "some_long_name -z /etc/passwd something_else.bz2"
and run "convert .bz2 to .gz", you'll end with /etc/passwd removed and
placed into "/etc/passwd.bz2".


To fix those, please quote every use of a file name.  This includes places
that seem to be already quoted, like:

D="`basename %f .tar.gz`"

which needs to be:

D="`basename "%f" .tar.gz`"

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.35-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mc depends on:
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libglib2.0-0                  2.24.1-1   The GLib library of C routines
ii  libgpm2                       1.20.4-3.3 General Purpose Mouse - shared lib
ii  libslang2                     2.2.2-4    The S-Lang programming library - r

Versions of packages mc recommends:
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap

Versions of packages mc suggests:
pn  arj                        <none>        (no description available)
ii  bzip2                      1.0.5-4       high-quality block-sorting file co
pn  catdvi                     <none>        (no description available)
pn  dbview                     <none>        (no description available)
pn  djvulibre-bin              <none>        (no description available)
ii  evince [pdf-viewer]        2.30.3-1      Document (postscript, pdf) viewer
ii  file                       5.04-5        Determines file type using "magic"
pn  gv                         <none>        (no description available)
ii  imagemagick                8:6.6.0.4-2.2 image manipulation programs
pn  links | w3m | lynx         <none>        (no description available)
pn  odt2txt                    <none>        (no description available)
ii  perl                       5.10.1-14     Larry Wall's Practical Extraction 
ii  python                     2.6.5-13      interactive high-level object-orie
pn  python-boto                <none>        (no description available)
pn  python-tz                  <none>        (no description available)
ii  unzip                      6.0-4         De-archiver for .zip files
pn  zip                        <none>        (no description available)

-- no debconf information

More information about the Pkg-mc-devel mailing list