improper shell quoting

Binary package hint: enemies-of-carlotta

As reported by upstream:

--Start--
Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3
and the 1.2.3 versions. The problem is that EoC did not quote shell
arguments properly. I have fixed the problem in 1.2.4, which contains no
other changes relative to 1.2.3. This problem has the code
CVE-2006-5875.

You can find the 1.2.4 version from the EoC website:
http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's
unstable.

Debian's stable contains 1.0.3, and I have prepared a patch for that. It
is actually essentially the same patch as was used to create 1.2.4. The
Debian security team has uploaded a fixed version of the 1.0.3 package
to security.debian.org. I've attached it to this message in case anyone
not running Debian wants to stay with 1.0.3, but I won't be releasing a
1.0.4 unless someone really needs it (if you do, please tell me
immediately).

For risk assessment: I was unable to come up with an exploit. Doing so
would require getting a certain kind of construct through the SMTP level
to EoC, and I wasn't able to make that happen, but I would not rely on
it being impossible. Therefore, please upgrade immediately.

I apologize for this problem. It was amateurish to let the problematic
code into a released version of the program, I knew better than do that.
--EOM--