From ${URL} : In the default-direct.lua file in the "event.etype == 'Move'" branch, instead of using a direct fork/exec, a shell is spawned. Its arguments aren't quoted so one can inject additional parameters using whitespace characters. Original bug report containing reproducer and proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801263 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
2.1.6 version should solve this
No rdeps... and maintainer-needed for quite some time. @treecleaners, recommendation/thoughts?
So, just quoting of the arguments to 'mv' is needed. And we are ready to throw this package out of the tree? Please, please leave it in there and add the patch attached to the debian.org link above to an -r1 release.
2.1.6 is in tree with maintainer.
CCing new maintainer
Is stabilisation of 2.1.6 already in progress? With 2.1.5 gone, there is none left in stable.
(In reply to Pacho Ramos from comment #1) > 2.1.6 version should solve this No, it is not fixed in 2.1.6. Upstream fixed via https://github.com/axkibe/lsyncd/commit/c4f4ac3e0155af93036414371ed74ed215889c91 and this only present in >=2.2.0 which is not in Gentoo repository. @ Maintainer(s): Please bump to >=app-admin/lsyncd-2.2.0.
commit c4654db70af968a64534c61c868a761034e2c8cf Author: Patrick Lauer <patrick@gentoo.org> Date: Sat Jan 28 21:11:08 2017 +0100 app-admin/lsyncd: Bump
@ Arches, please test and mark stable: =app-admin/lsyncd-2.2.0
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=755993fcf7c9451edfe66a9577d15b2d35a9034c
