Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628796 (CVE-2017-12904) - <net-news/newsbeuter-2.9-r3: Improper input sanitization of special elements in bookmarking function
Summary: <net-news/newsbeuter-2.9-r3: Improper input sanitization of special elements ...
Alias: CVE-2017-12904
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on: CVE-2017-14500
  Show dependency tree
Reported: 2017-08-24 08:34 UTC by Agostino Sarubbo
Modified: 2018-01-17 13:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-24 08:34:36 UTC
From ${URL} :

Improper Neutralization of Special Elements used in an OS Command in
bookmarking function of Newsbeuter versions 0.7 through 2.9 allows
remote attackers to perform user-assisted code execution by crafting
an RSS item that includes shell code in its title and/or URL.

Upstream bug:

Upstream patch:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2017-08-24 09:23:01 UTC
Fixed and stabilized in 2.9-r3 in the tree.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-24 14:44:42 UTC
Thanks for the info,

@Security could you please add to an existing glsa or file a new one and add the cve


Gentoo Security Padawan
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 02:39:22 UTC
New GLSA Request filed.

@Security please add cve to database.

Gentoo Security Padawan
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 13:47:00 UTC
This issue was resolved and addressed in
 GLSA 201801-18 at
by GLSA coordinator Aaron Bauman (b-man).