download feh 3.10.3
view manual
feh-1.11.2.tar.bz2 (signature)
- Use wget --no-clobber to prevent TOCTTOU-based hole allowing a well-informed attacker to rewrite arbitrary user files with images. The attacker needs to know feh's PID and the URL the user gave it. It is still possible for an attacker to create arbitrary files via the same hole.