diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-08-22 17:32:48 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-08-22 19:51:56 +0200 |
| commit | 87767f695c4ae5a5f0f5c7b878e5a996d78fd859 (patch) | |
| tree | 7aa4b32ed287d70249eb53c584dd39eb5fd8015a | |
| parent | c35b0b809dc21194dae7b0d8a733b5dbf22535cd (diff) | |
| download | aports-87767f695c4ae5a5f0f5c7b878e5a996d78fd859.tar.bz2 aports-87767f695c4ae5a5f0f5c7b878e5a996d78fd859.tar.xz | |
main/newsbeuter: security fix for CVE-2017-12904
fixes #7730
| -rw-r--r-- | main/newsbeuter/APKBUILD | 16 | ||||
| -rw-r--r-- | main/newsbeuter/CVE-2017-12904.patch | 36 |
2 files changed, 48 insertions, 4 deletions
diff --git a/main/newsbeuter/APKBUILD b/main/newsbeuter/APKBUILD index 4a7ff510dc..2845c51d34 100644 --- a/main/newsbeuter/APKBUILD +++ b/main/newsbeuter/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=newsbeuter pkgver=2.9 -pkgrel=3 +pkgrel=4 pkgdesc="Configurable text-based feed reader" url="http://newsbeuter.org/" arch="all" @@ -16,8 +16,13 @@ source="http://newsbeuter.org/downloads/newsbeuter-$pkgver.tar.gz 0001-Remove-iconv-translit-references.patch newsbeuter-2.9-ncurses6.patch fix-segfault.patch + CVE-2017-12904.patch " +# secfixes: +# 2.9-r4: +# - CVE-2017-12904 + _builddir="$srcdir"/newsbeuter-$pkgver prepare() { local i @@ -46,12 +51,15 @@ package() { md5sums="9cf332dc7e591023147bda7add430835 newsbeuter-2.9.tar.gz 2d158695303d3605425d5b30465408b8 0001-Remove-iconv-translit-references.patch 6450d3794d543f9edae934f86a3ce7ef newsbeuter-2.9-ncurses6.patch -bbf607a93fa88d75a137e60b2b4d8eba fix-segfault.patch" +bbf607a93fa88d75a137e60b2b4d8eba fix-segfault.patch +1d47db94b79327075b433bb6f1c79968 CVE-2017-12904.patch" sha256sums="74a8bf019b09c3b270ba95adc29f2bbe48ea1f55cc0634276b21fcce1f043dc8 newsbeuter-2.9.tar.gz 122613fd512a17f938d98ceb5aa3a1a9ddcff7dc4e7ac640e490637d2f645ba9 0001-Remove-iconv-translit-references.patch 5ae54c463f44d91725da3be655d2b107d598ade6da86ab4a99b10b039b8dba27 newsbeuter-2.9-ncurses6.patch -6359708ee01f5e1b773a6ed79b7369b30aad5397b85fd252c2fa7d0c2616ea86 fix-segfault.patch" +6359708ee01f5e1b773a6ed79b7369b30aad5397b85fd252c2fa7d0c2616ea86 fix-segfault.patch +6e31fa282a6f420063603845194d292c779f450e3cd5afc2323ae86c8c14f664 CVE-2017-12904.patch" sha512sums="b173008c8c8d3729f8ccef3ce62645a05c1803fb842d5c0afdf9ffd4ed3726030f9c359c20bc817402a6a0ea12af742d0ae7faf9b92d52c11f420f62b430b0aa newsbeuter-2.9.tar.gz 1cfbe93cd8ca5785b1c26ccfdf1ed467700046c8ca564f33752b0f04f91d37765f83bf82ad593eae41532edf79a8f6992283255f9a2aa8293d14728b175c9dd7 0001-Remove-iconv-translit-references.patch 08f7125fd8f2b33fa5e36cbd947ec90bcd8b08be2df7961aced20ce031788b3970c1adeb027b1527ba06f18ddbc38518f2c22da6b5fdbc4b1cd5b0edda22ba0b newsbeuter-2.9-ncurses6.patch -da986beb12b0ba473fea55c067abcdcdae6c073bf4d66bc8913696a4da99c4072edaf3910769d8e4bcef3a0411875eb23fbc840e0e7572aa0e16e922cc3d2947 fix-segfault.patch" +da986beb12b0ba473fea55c067abcdcdae6c073bf4d66bc8913696a4da99c4072edaf3910769d8e4bcef3a0411875eb23fbc840e0e7572aa0e16e922cc3d2947 fix-segfault.patch +cef1a625781081430bcaa7fbec74a58ce656a22cd94d5ff1a6983165e053fdfbd869aebd8041fb34a7325a312f15c84b2a1093d237e2680b9244f0917baa1c4c CVE-2017-12904.patch" diff --git a/main/newsbeuter/CVE-2017-12904.patch b/main/newsbeuter/CVE-2017-12904.patch new file mode 100644 index 0000000000..77cf171cdf --- /dev/null +++ b/main/newsbeuter/CVE-2017-12904.patch @@ -0,0 +1,36 @@ +From d1460189f6f810ca9a3687af7bc43feb7f2af2d9 Mon Sep 17 00:00:00 2001 +From: Alexander Batischev <eual.jp@gmail.com> +Date: Sat, 19 Aug 2017 15:09:25 +0300 +Subject: [PATCH] Sanitize inputs to bookmark-cmd (#591) + +Newsbeuter didn't properly shell-escape the arguments passed to +bookmarking command, which allows a remote attacker to perform remote +code execution by crafting an RSS item whose title and/or URL contain +something interpretable by the shell (most notably subshell +invocations.) + +This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with +PoC and a patch. + +This vulnerability was assigned CVE-2017-12904. +--- + src/controller.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/controller.cpp b/src/controller.cpp +index 4fc10608..5c8e7b81 100644 +--- a/src/controller.cpp ++++ b/src/controller.cpp +@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl + std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); + bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); + if (bookmark_cmd.length() > 0) { +- std::string cmdline = utils::strprintf("%s '%s' %s %s", ++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", + bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), +- stfl::quote(title).c_str(), stfl::quote(description).c_str()); ++ utils::replace_all(title,"'", "%27").c_str(), ++ utils::replace_all(description,"'", "%27").c_str()); + + LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); + |