There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:
mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED?
However, after doing a code review I found other exploitable methods in the package management features of MATE Menu.
So I started on mate-menu 5.6.3 and the following changes address the other exploitable code.
+ Removed package management features.
+ Removed useless imports and dead code.
+ Refactored some os.system() calls to Pythonic equivalents.
Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here:
The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it.
There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:
* https:/ /bugs.launchpad .net/ubuntu- mate/+bug/ 1422402
mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED?
However, after doing a code review I found other exploitable methods in the package management features of MATE Menu.
So I started on mate-menu 5.6.3 and the following changes address the other exploitable code.
+ Removed package management features.
+ Removed useless imports and dead code.
+ Refactored some os.system() calls to Pythonic equivalents.
Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here:
* https:/ /plus.google. com/10391763149 9285627130/ posts/jkrMzsC3B rs
The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it.
I hope that explains my rationale.