#985597 freeplane has mailcap entries with quoted %-escapes

Package:
freeplane
Source:
freeplane
Submitter:
Marriott NZ
Date:
2025-03-17 20:57:02 UTC
Severity:
normal
Tags:
#985597#5
Date:
2021-03-20 14:56:24 UTC
From:
To:
Dear Maintainer,
the freeplane package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.

If you need more information let me know.

Thanks,
MNZ
#985597#8
Date:
2025-03-17 20:53:34 UTC
From:
To:
Hello,

Bug #985597 in freeplane reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/freeplane/-/commit/49aaf361350e7aabb5e0ca903197313a03d9c647
------------------------------------------------------------------------
Don't quote %-escapes in mailcap entries

The %s placeholder in a mailcap entry is quoted. That is considered unsafe. Proper escaping should be left to the programs using the entry.

Closes: #985597
Fixes: lintian: quoted-placeholder-in-mailcap-entry
See-also: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/985597