Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root.
For the stable distribution (woody) this problem has been fixed in version 4.49.4-7woody2.
For the old stable distribution (potato) this problem has been fixed in version 4.49.3-4potato2.
For the unstable distribution (sid) this problem is fixed in version 4.49.5-2.
We recommend that you update your lv package.