fish.c in midnight commander allows remote attackers to execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters.
https://exchange.xforce.ibmcloud.com/vulnerabilities/18906
http://www.redhat.com/support/errata/RHSA-2005-512.html
http://www.debian.org/security/2005/dsa-639