Comment 2 for bug 1427742

There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:

  * https://bugs.launchpad.net/ubuntu-mate/+bug/1422402

mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED?

However, after doing a code review I found other exploitable methods in the package management features of MATE Menu.

So I started on mate-menu 5.6.3 and the following changes address the other exploitable code.

  + Removed package management features.
  + Removed useless imports and dead code.
  + Refactored some os.system() calls to Pythonic equivalents.

Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here:

  * https://plus.google.com/103917631499285627130/posts/jkrMzsC3Brs

The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it.

I hope that explains my rationale.