Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236506 (CVE-2008-3907) - net-news/newsbeuter <1.2 Improper URI quoting when starting browser (CVE-2008-3907)
Summary: net-news/newsbeuter <1.2 Improper URI quoting when starting browser (CVE-2008...
Status: RESOLVED FIXED
Alias: CVE-2008-3907
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 235360
Blocks:
  Show dependency tree
 
Reported: 2008-09-02 21:27 UTC by Robert Buchholz (RETIRED)
Modified: 2008-09-22 20:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 21:27:28 UTC 
J.H.M. Dassen (Ray) reported that newsbeuter does not properly escape shell metacharacters when passing URLs to a browser.

Fixed in 1.2.
Comment 1 Ingmar Vanhassel 2008-09-03 01:12:04 UTC 
According to the URL you included: s/1.2/1.1/g :)
Comment 2 Ingmar Vanhassel 2008-09-03 01:13:43 UTC 
(In reply to comment #1)
> According to the URL you included: s/1.2/1.1/g :)
> 

Oh I'm wrong:

1.2 (2008-09-02):
        Fixed crash in case of invalid color/attribute names in the configuration
        Implemented "download-timeout" and "download-retries" config options to make newsbeuter more reliable over unreliable connection (fixes #88).
        Improved whitespace handling in XML parser (fixes Debian issue #496765).
        Fixed broken open-in-browser operation for URLs that contained a single quote (fixes Debian issue #497495; fixes incomplete security fix).

Sorry for the noise, nevermind me.
Comment 3 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-09-03 23:48:12 UTC 
I've added dev-libs/stfl-0.19. This is a dependency of the new version.
Comment 4 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-09-04 15:50:21 UTC 
net-news/newsbeuter-1.2 is in gentoo-x86.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-09-04 18:34:22 UTC 
Arches, please test and mark stable:
=net-news/newsbeuter-1.2
Target keywords : "x86"
Comment 6 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-09-04 21:16:44 UTC 
Please note that you must also stable =dev-libs/stfl-0.19.
Comment 7 Markus Meier gentoo-dev 2008-09-06 12:44:06 UTC 
x86 stable, all arches done.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-11 17:38:22 UTC 
GLSA request filed.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-22 20:09:49 UTC 
GLSA 200809-12