diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-08-22 17:32:48 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-08-22 17:32:48 +0000 |
| commit | 11e04ac2e09480aaa71ff041b2ddc627a688b8d3 (patch) | |
| tree | 13289c5a073f5d520ee04b01f6c2c0193cc498e5 /main | |
| parent | 4c72797d6bcc577f4d3859193d5954e40e8dfed0 (diff) | |
| download | aports-11e04ac2e09480aaa71ff041b2ddc627a688b8d3.tar.bz2 aports-11e04ac2e09480aaa71ff041b2ddc627a688b8d3.tar.xz | |
main/newsbeuter: security fix for CVE-2017-12904
fixes #7726
Diffstat (limited to 'main')
| -rw-r--r-- | main/newsbeuter/APKBUILD | 10 | ||||
| -rw-r--r-- | main/newsbeuter/CVE-2017-12904.patch | 36 |
2 files changed, 44 insertions, 2 deletions
diff --git a/main/newsbeuter/APKBUILD b/main/newsbeuter/APKBUILD index e1d432b611..7dc511de20 100644 --- a/main/newsbeuter/APKBUILD +++ b/main/newsbeuter/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=newsbeuter pkgver=2.9 -pkgrel=3 +pkgrel=4 pkgdesc="Configurable text-based feed reader" url="http://newsbeuter.org/" arch="all" @@ -17,8 +17,13 @@ source="http://newsbeuter.org/downloads/newsbeuter-$pkgver.tar.gz newsbeuter-2.9-ncurses6.patch fix-segfault.patch musl_const.patch + CVE-2017-12904.patch " +# secfixes: +# 2.9-r4: +# - CVE-2017-12904 + _builddir="$srcdir"/newsbeuter-$pkgver prepare() { local i @@ -48,4 +53,5 @@ sha512sums="b173008c8c8d3729f8ccef3ce62645a05c1803fb842d5c0afdf9ffd4ed3726030f9c 1cfbe93cd8ca5785b1c26ccfdf1ed467700046c8ca564f33752b0f04f91d37765f83bf82ad593eae41532edf79a8f6992283255f9a2aa8293d14728b175c9dd7 0001-Remove-iconv-translit-references.patch 08f7125fd8f2b33fa5e36cbd947ec90bcd8b08be2df7961aced20ce031788b3970c1adeb027b1527ba06f18ddbc38518f2c22da6b5fdbc4b1cd5b0edda22ba0b newsbeuter-2.9-ncurses6.patch da986beb12b0ba473fea55c067abcdcdae6c073bf4d66bc8913696a4da99c4072edaf3910769d8e4bcef3a0411875eb23fbc840e0e7572aa0e16e922cc3d2947 fix-segfault.patch -f5be61b58aa1470090f0bbd519d00a8dae9ef78214787664fd05a8274877b1a20fb38e88058ab6dd8fb61f7fa433683fbecbc16d03bc625cef0cfc0cccf5e246 musl_const.patch" +f5be61b58aa1470090f0bbd519d00a8dae9ef78214787664fd05a8274877b1a20fb38e88058ab6dd8fb61f7fa433683fbecbc16d03bc625cef0cfc0cccf5e246 musl_const.patch +cef1a625781081430bcaa7fbec74a58ce656a22cd94d5ff1a6983165e053fdfbd869aebd8041fb34a7325a312f15c84b2a1093d237e2680b9244f0917baa1c4c CVE-2017-12904.patch" diff --git a/main/newsbeuter/CVE-2017-12904.patch b/main/newsbeuter/CVE-2017-12904.patch new file mode 100644 index 0000000000..77cf171cdf --- /dev/null +++ b/main/newsbeuter/CVE-2017-12904.patch @@ -0,0 +1,36 @@ +From d1460189f6f810ca9a3687af7bc43feb7f2af2d9 Mon Sep 17 00:00:00 2001 +From: Alexander Batischev <eual.jp@gmail.com> +Date: Sat, 19 Aug 2017 15:09:25 +0300 +Subject: [PATCH] Sanitize inputs to bookmark-cmd (#591) + +Newsbeuter didn't properly shell-escape the arguments passed to +bookmarking command, which allows a remote attacker to perform remote +code execution by crafting an RSS item whose title and/or URL contain +something interpretable by the shell (most notably subshell +invocations.) + +This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with +PoC and a patch. + +This vulnerability was assigned CVE-2017-12904. +--- + src/controller.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/controller.cpp b/src/controller.cpp +index 4fc10608..5c8e7b81 100644 +--- a/src/controller.cpp ++++ b/src/controller.cpp +@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl + std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); + bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); + if (bookmark_cmd.length() > 0) { +- std::string cmdline = utils::strprintf("%s '%s' %s %s", ++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", + bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), +- stfl::quote(title).c_str(), stfl::quote(description).c_str()); ++ utils::replace_all(title,"'", "%27").c_str(), ++ utils::replace_all(description,"'", "%27").c_str()); + + LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); + |