Wed, 22 Jan 2025 21:35:51 -0600
Updates for the 2.14.14 release
Testing Done:
Ran `npm run hugo:server` and verified the download links and changelog were displayed properly.
Reviewed at https://reviews.imfreedom.org/r/3782/
--- title: cve-2004-0784-00 date: 2004-08-22T00:00:00.000Z cveNumber: cve-2004-0784 summary: Smiley theme installation lack of escaping discoveredBy: A Gaim Crazy Patch Writer fixedInRelease: 0.82 layout: cve hidden: true --- ### Description To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector. ### Mitigation Filenames are now escaped using `g_shell_quote()`.