Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631150 (CVE-2017-14500) - net-news/newsbeuter: remote code execution in podbeuter through RSS item
Summary: net-news/newsbeuter: remote code execution in podbeuter through RSS item
Status: RESOLVED FIXED
Alias: CVE-2017-14500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-12904
  Show dependency tree
 
Reported: 2017-09-16 19:30 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-11 16:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-16 19:30:18 UTC
From $URL:

 Podbeuter is a podcast fetcher and player that's developed alongside with Newsbeuter, an RSS/Atom feed reader for text consoles.


Versions 0.3 through 2.9 are vulnerable to remote code execution. An attacker can craft an RSS item where the name of media enclosure (the podcast file) contains shell code. When user plays the file in Podbeuter, the shell code will be executed.


A commit fixing the vulnerability in Git: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260


A patch for Podbeuter 2.9: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333


Upstream issue: https://github.com/akrennmair/newsbeuter/issues/598

I've requested a CVE from MITRE on August 27th, but haven't heard back yet, so decided to disclose without a number.


--
Regards,
Alexander Batischev

PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94  A00F 3569 61A2 0C8B FD03
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-17 16:22:57 UTC
@Maintainer could you please confirm if 2.9-r3 is affected? 

Thank you

Gentoo Security Padawan
ChrisADR
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 03:05:34 UTC
ping.

@Maintainer this report is holding a GLSA, could you please confirm?

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-05 14:57:14 UTC
New GLSA Request filled.

# Tim Harder <radhermit@gentoo.org> (05 Feb 2018)
# Unmaintained, replaced by newsboat fork.
# Masked for removal in 30 days.
net-news/newsbeuter
Comment 4 Pacho Ramos gentoo-dev 2018-03-11 10:39:07 UTC
Removed from the tree
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-03-11 16:38:37 UTC
This issue was resolved and addressed in
 GLSA 201803-04 at https://security.gentoo.org/glsa/201803-04
by GLSA coordinator Christopher Diaz Riveros (chrisadr).