CVE-2008-1688

Name	CVE-2008-1688
Description	Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
m4 (PTS)	buster	1.4.18-2	vulnerable
	bullseye	1.4.18-5	vulnerable
	bookworm, sid	1.4.19-3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
m4	source	(unstable)	(unfixed)	unimportant

The file name is passed through a cmdline argument and m4 doesn't run with
elevated privileges.