wmtv 0.6.5 and previous versions does not properly drop privileges, which allows local users to execute arbitrary commands via the -e (external command) option.
Nicolas Boullis found a nasty security problem in the wmtv (a
dockable video4linux TV player for windowmaker) package as
distributed in Debian GNU/Linux 22
wmtv can optionally run a command if you double-click on the TV
window This command can be specified using the -e command line
option However, since wmtv is installed suid root, this command ...