Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 901085 (CVE-2023-1350)

Summary: <net-news/liferea-1.12.10: Fix RCE vulnerability on feed enrichment
Product: Gentoo Security Reporter: CFuga <cfuga>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: proxy-maint, ykonotopov
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/30103
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 901261    
Bug Blocks:    

Description CFuga 2023-03-13 21:26:09 UTC
CVE-2023-1350 (https://nvd.nist.gov/vuln/detail/CVE-2023-1350)

A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.

Patch: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2023-03-15 05:00:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc

commit 64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-03-15 05:00:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-15 05:00:23 +0000

    net-news/liferea: drop 1.14.0
    
    Bug: https://bugs.gentoo.org/901085
    Signed-off-by: Sam James <sam@gentoo.org>

 net-news/liferea/Manifest              |  1 -
 net-news/liferea/liferea-1.14.0.ebuild | 72 ----------------------------------
 2 files changed, 73 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff30e326baee3f26591724553397e1f9cca0a0d9

commit ff30e326baee3f26591724553397e1f9cca0a0d9
Author:     Cristian Othón Martínez Vera <cfuga@cfuga.mx>
AuthorDate: 2023-03-13 21:32:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-15 05:00:11 +0000

    net-news/liferea: add 1.12.10, 1.14.1 (Fix RCE vulnerability on feed enrichment)
    
    Fix CVE-2023-1350.
    
    Bug: https://bugs.gentoo.org/901085
    Closes: https://github.com/gentoo/gentoo/pull/30103
    Signed-off-by: Cristian Othón Martínez Vera <cfuga@cfuga.mx>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-news/liferea/Manifest               |  2 +
 net-news/liferea/liferea-1.12.10.ebuild | 74 +++++++++++++++++++++++++++++++++
 net-news/liferea/liferea-1.14.1.ebuild  | 69 ++++++++++++++++++++++++++++++
 3 files changed, 145 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-04-19 04:26:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e050c0668826f5cc3f8190c9cb8d787aebea816d

commit e050c0668826f5cc3f8190c9cb8d787aebea816d
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-19 04:21:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-19 04:26:29 +0000

    net-news/liferea: drop 1.12.9-r2
    
    Bug: https://bugs.gentoo.org/901085
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-news/liferea/Manifest                 |  1 -
 net-news/liferea/liferea-1.12.9-r2.ebuild | 74 -------------------------------
 2 files changed, 75 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:27:35 UTC
Thanks!