CVE-2023-1350 (https://nvd.nist.gov/vuln/detail/CVE-2023-1350) A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848. Patch: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc commit 64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc Author: Sam James <sam@gentoo.org> AuthorDate: 2023-03-15 05:00:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-15 05:00:23 +0000 net-news/liferea: drop 1.14.0 Bug: https://bugs.gentoo.org/901085 Signed-off-by: Sam James <sam@gentoo.org> net-news/liferea/Manifest | 1 - net-news/liferea/liferea-1.14.0.ebuild | 72 ---------------------------------- 2 files changed, 73 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff30e326baee3f26591724553397e1f9cca0a0d9 commit ff30e326baee3f26591724553397e1f9cca0a0d9 Author: Cristian Othón Martínez Vera <cfuga@cfuga.mx> AuthorDate: 2023-03-13 21:32:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-15 05:00:11 +0000 net-news/liferea: add 1.12.10, 1.14.1 (Fix RCE vulnerability on feed enrichment) Fix CVE-2023-1350. Bug: https://bugs.gentoo.org/901085 Closes: https://github.com/gentoo/gentoo/pull/30103 Signed-off-by: Cristian Othón Martínez Vera <cfuga@cfuga.mx> Signed-off-by: Sam James <sam@gentoo.org> net-news/liferea/Manifest | 2 + net-news/liferea/liferea-1.12.10.ebuild | 74 +++++++++++++++++++++++++++++++++ net-news/liferea/liferea-1.14.1.ebuild | 69 ++++++++++++++++++++++++++++++ 3 files changed, 145 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e050c0668826f5cc3f8190c9cb8d787aebea816d commit e050c0668826f5cc3f8190c9cb8d787aebea816d Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-04-19 04:21:51 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-04-19 04:26:29 +0000 net-news/liferea: drop 1.12.9-r2 Bug: https://bugs.gentoo.org/901085 Signed-off-by: John Helmert III <ajak@gentoo.org> net-news/liferea/Manifest | 1 - net-news/liferea/liferea-1.12.9-r2.ebuild | 74 ------------------------------- 2 files changed, 75 deletions(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ae2e26a770ee27c081f2011f4d1f220735c82ad commit 4ae2e26a770ee27c081f2011f4d1f220735c82ad Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:56:34 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:15 +0000 [ GLSA 202407-03 ] Liferea: Remote Code Execution Bug: https://bugs.gentoo.org/901085 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
