Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 901085 (CVE-2023-1350) - <net-news/liferea-1.12.10: Fix RCE vulnerability on feed enrichment
Summary: <net-news/liferea-1.12.10: Fix RCE vulnerability on feed enrichment
Status: IN_PROGRESS
Alias: CVE-2023-1350
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 901261
Blocks:
  Show dependency tree
 
Reported: 2023-03-13 21:26 UTC by CFuga
Modified: 2023-04-19 04:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description CFuga 2023-03-13 21:26:09 UTC 
CVE-2023-1350 (https://nvd.nist.gov/vuln/detail/CVE-2023-1350)

A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.

Patch: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2023-03-15 05:00:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc

commit 64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-03-15 05:00:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-15 05:00:23 +0000

    net-news/liferea: drop 1.14.0
    
    Bug: https://bugs.gentoo.org/901085
    Signed-off-by: Sam James <sam@gentoo.org>

 net-news/liferea/Manifest              |  1 -
 net-news/liferea/liferea-1.14.0.ebuild | 72 ----------------------------------
 2 files changed, 73 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff30e326baee3f26591724553397e1f9cca0a0d9

commit ff30e326baee3f26591724553397e1f9cca0a0d9
Author:     Cristian Othón Martínez Vera <cfuga@cfuga.mx>
AuthorDate: 2023-03-13 21:32:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-15 05:00:11 +0000

    net-news/liferea: add 1.12.10, 1.14.1 (Fix RCE vulnerability on feed enrichment)
    
    Fix CVE-2023-1350.
    
    Bug: https://bugs.gentoo.org/901085
    Closes: https://github.com/gentoo/gentoo/pull/30103
    Signed-off-by: Cristian Othón Martínez Vera <cfuga@cfuga.mx>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-news/liferea/Manifest               |  2 +
 net-news/liferea/liferea-1.12.10.ebuild | 74 +++++++++++++++++++++++++++++++++
 net-news/liferea/liferea-1.14.1.ebuild  | 69 ++++++++++++++++++++++++++++++
 3 files changed, 145 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-04-19 04:26:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e050c0668826f5cc3f8190c9cb8d787aebea816d

commit e050c0668826f5cc3f8190c9cb8d787aebea816d
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-19 04:21:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-19 04:26:29 +0000

    net-news/liferea: drop 1.12.9-r2
    
    Bug: https://bugs.gentoo.org/901085
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-news/liferea/Manifest                 |  1 -
 net-news/liferea/liferea-1.12.9-r2.ebuild | 74 -------------------------------
 2 files changed, 75 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:27:35 UTC 
Thanks!