xscreensaver: filename command injection in vidwhacker screensaver

[Hanno Böck <hanno () hboeck de>]

The "vidwhacker" screensaver in xscreensaver does not properly escape
filenames of input images, allowing command injection via filenames.

The autor of xscreensaver considers this a non-issue.

xscreensaver contains a screensaver called "vidwhacker" which uses
image files as an input and passes them to various command line tools
for decoding. A user can configure a directory with images.

The filenames are passed to the command line tools without any
escaping. This allows injecting commands, e.g. via subshells.

PoC:
* Create a dir with a file named '$(touch pwn).png'
* Run xscreensaver-demo, configure the vidwhacker directory to above
  dir and run preview.
* File "pwn" gets created.

I believe this is a low risk security issue. A possible attack
scenario would be e.g. someone providing an image collection to a
victim which is large enough that an unusual filename wouldn't be noted.

The author of xscreensaver disagrees and wrote me he considers this a
non-issue.

-- 
Hanno Böck
https://hboeck.de/