1 files changed, 30 insertions, 0 deletions

diff --git a/multimedia/winff/changelog b/multimedia/winff/changelog
index 6da305c6fba7e..87fd59ce0f280 100644
--- a/multimedia/winff/changelog
+++ b/multimedia/winff/changelog
@@ -70,3 +70,33 @@ in slackware.
 This build removes all other localization files except english
 since it contains outdated links and may pose security risk.
 Bumped the build no.
+
+20/01/2023:
+
+Fixed $ARCH issue for 32-bit systems. freepascal supports i386
+only. The SlackBuild is modified to reflect that.Bumped the
+build no.
+
+Users of WinFF must be aware of these two security issues that are
+still unresolved upstream.
+
+a. The first one is due to the way filenames are inserted in the
+temporary shell scripts generated to convert the media. Due to the
+lack of character escaping, it is possible to insert system command using
+specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4'
+Thus leading to an arbitrary command execution.
+
+b. The second issue is related to the permission of this temporary shell
+script.  every users can access to them and modify them. Even if those files
+are  only temporary and launched right after generation, it leads to a
+race-condition case where another user may try to replace the script content
+before its  execution in order to execute its own command with the winff
+user permission.
+
+you can read about this issue here:
+https://github.com/WinFF/winff/issues/242
+
+As for first issue check the filename before converting otherwise it
+will compromise your system and don't download from untrusted sources.
+For the second I have no clue and this is beyond my abilities.If you have
+a patch for these issue feel free to send it to me.