diff -u usb-imagewriter-0.1.3/lib/imagewriter.py usb-imagewriter-0.1.3/lib/imagewriter.py
--- usb-imagewriter-0.1.3/lib/imagewriter.py
+++ usb-imagewriter-0.1.3/lib/imagewriter.py
@@ -98,7 +98,7 @@
         combo = self.wTree.get_widget("device_combobox")
         combo.set_sensitive(False)
         self.chooser.set_sensitive(False)
-        source = '\"%s\"' % self.chooser.get_filename()
+        source = self.chooser.get_filename()
         target = self.dev.split('(')[1].rstrip(')')
         dialog = self.wTree.get_widget("confirm_dialog")
         self.logger(_('Image: ')+source)
@@ -146,7 +146,7 @@
              self.emergency()
 
     def raw_write(self, source, target):
-        data = Popen(['ls -l '+source], shell=True, stdout=PIPE, stderr=PIPE)
+        data = Popen(['ls', '-l', source], shell=False, stdout=PIPE, stderr=PIPE)
         src_size = float(data.stdout.readline().split()[4])*1.0
         progress = self.wTree.get_widget("progressbar")
         progress.set_sensitive(True)
@@ -154,7 +154,7 @@
         self.logger(_('Executing: dd if=')+source+' of='+target)
         while gtk.events_pending():
            gtk.main_iteration(True)
-        output = Popen(['dd if='+source+' of='+target+' bs=1024'], stdout=PIPE, stderr=STDOUT, shell=True)
+        output = Popen(['dd' 'if=%s'%source, 'of=%s'%target, 'bs=1024'], stdout=PIPE, stderr=STDOUT, shell=False)
         self.ddpid = output.pid
         while output.stdout.readline():
             line = output.stdout.readline().strip()
diff -u usb-imagewriter-0.1.3/debian/changelog usb-imagewriter-0.1.3/debian/changelog
--- usb-imagewriter-0.1.3/debian/changelog
+++ usb-imagewriter-0.1.3/debian/changelog
@@ -1,3 +1,15 @@
+usb-imagewriter (0.1.3-0ubuntu3) karmic; urgency=critical
+
+  * lib/imagewriter.py: New patch to handle spaces in image path (LP: #366607)
+     - This patch fixes a possible command-injection security error, which is
+       the reason for the urgency=critical.
+     - Removed encapsulation in quotes from line 101, as described in the lower
+       change, because that would fail if the path contained quotes.
+     - Used a proper argument list instead of string in both Popen statements.
+     - Changed shell=True to shell=False because it is no longer needed.
+
+ -- Christopher Pavlina <pavlina.chris@gmail.com>  Sat, 17 Oct 2009 22:55:27 -0400
+
 usb-imagewriter (0.1.3-0ubuntu2) karmic; urgency=low
 
   [ Siegfried-Angel Gevattder Pujals ]