#987692 smpeg-plaympeg has mailcap entries with quoted %-escapes

Package:
smpeg-plaympeg
Source:
smpeg
Description:
SMPEG command line MPEG audio/video player
Submitter:
Marriott NZ
Date:
2021-04-27 21:39:03 UTC
Severity:
normal
Tags:
#987692#5
Date:
2021-04-27 21:34:43 UTC
From:
To:
Dear Maintainer,
the smpeg-plaympeg package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.

If you need more information let me know.

Thanks,
MNZ