The library invokes commands in some situations with user supplied input allowing `backticks` to be inserted and arbitary commands executed.
Setting this as RESTRICTED until it is publicly available. We should check wether any setuid or setgid binaries links to esound.
Leonardo please advise.
Do you have any more details about the problem? I'd appreciate any pointers to upstream bugs, discussions on ml's, test cases, etc. Thanks.
Not at the moment but I can ask. However it is only an issue if we have any setuid/setgid binaries linking to it.
See list of rrdep at : http://tinderbox.x86.dev.gentoo.org/misc/rindex/media-sound/esound
I propose to close this one as invalid, pending an attack vector...
Closing as INVALID for now.