A multilingual file viewer, lv, will read options from a configuration file in the current directory. As such, a file could be placed there by a malicious user, and lv configuration options could be used to execute commands. An attacker could then gain the privileges of the user invoking lv, including root.
For the stable distribution (woody) this problem has been fixed in version 4.49.4-7woody2.
For the old stable distribution (potato) this problem has been fixed in version 4.49.3-4potato2.
For the unstable distribution (sid) this problem is fixed in version 4.49.5-2.
Users are advised to update their lv packages.
For details, see http://www.debian.org/security/2003/dsa-304.