Bug 628796 (CVE-2017-12904)

Summary:	<net-news/newsbeuter-2.9-r3: Improper input sanitization of special elements in bookmarking function
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	radhermit
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1484518
Whiteboard:	B2 [glsa+ cve]
Package list:		Runtime testing required:	---
Bug Depends on:	631150
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2017-08-24 08:34:36 UTC

From ${URL} :

Improper Neutralization of Special Elements used in an OS Command in
bookmarking function of Newsbeuter versions 0.7 through 2.9 allows
remote attackers to perform user-assisted code execution by crafting
an RSS item that includes shell code in its title and/or URL.

Upstream bug:

https://github.com/akrennmair/newsbeuter/issues/591

Upstream patch:

https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

References:

https://groups.google.com/d/topic/newsbeuter/iFqSE7Vz-DE
https://www.debian.org/security/2017/dsa-3947


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Tim Harder gentoo-dev

2017-08-24 09:23:01 UTC

Fixed and stabilized in 2.9-r3 in the tree.

Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-24 14:44:42 UTC

Thanks for the info,

@Security could you please add to an existing glsa or file a new one and add the cve

Thanks

Gentoo Security Padawan
ChrisADR

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-12 02:39:22 UTC

New GLSA Request filed.

@Security please add cve to database.

Gentoo Security Padawan
ChrisADR

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2018-01-17 13:47:00 UTC

This issue was resolved and addressed in
 GLSA 201801-18 at https://security.gentoo.org/glsa/201801-18
by GLSA coordinator Aaron Bauman (b-man).