Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 901085 (CVE-2023-1350) - <net-news/liferea-1.12.10: Fix RCE vulnerability on feed enrichment
Summary: <net-news/liferea-1.12.10: Fix RCE vulnerability on feed enrichment
Alias: CVE-2023-1350
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 901261
  Show dependency tree
Reported: 2023-03-13 21:26 UTC by CFuga
Modified: 2023-04-19 04:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description CFuga 2023-03-13 21:26:09 UTC
CVE-2023-1350 (

A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.


Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2023-03-15 05:00:52 UTC
The bug has been referenced in the following commit(s):

commit 64cf62ae757f2c35ec0a9b7db4a81998a6be8bcc
Author:     Sam James <>
AuthorDate: 2023-03-15 05:00:23 +0000
Commit:     Sam James <>
CommitDate: 2023-03-15 05:00:23 +0000

    net-news/liferea: drop 1.14.0
    Signed-off-by: Sam James <>

 net-news/liferea/Manifest              |  1 -
 net-news/liferea/liferea-1.14.0.ebuild | 72 ----------------------------------
 2 files changed, 73 deletions(-)

commit ff30e326baee3f26591724553397e1f9cca0a0d9
Author:     Cristian Othón Martínez Vera <>
AuthorDate: 2023-03-13 21:32:23 +0000
Commit:     Sam James <>
CommitDate: 2023-03-15 05:00:11 +0000

    net-news/liferea: add 1.12.10, 1.14.1 (Fix RCE vulnerability on feed enrichment)
    Fix CVE-2023-1350.
    Signed-off-by: Cristian Othón Martínez Vera <>
    Signed-off-by: Sam James <>

 net-news/liferea/Manifest               |  2 +
 net-news/liferea/liferea-1.12.10.ebuild | 74 +++++++++++++++++++++++++++++++++
 net-news/liferea/liferea-1.14.1.ebuild  | 69 ++++++++++++++++++++++++++++++
 3 files changed, 145 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-04-19 04:26:58 UTC
The bug has been referenced in the following commit(s):

commit e050c0668826f5cc3f8190c9cb8d787aebea816d
Author:     John Helmert III <>
AuthorDate: 2023-04-19 04:21:51 +0000
Commit:     John Helmert III <>
CommitDate: 2023-04-19 04:26:29 +0000

    net-news/liferea: drop 1.12.9-r2
    Signed-off-by: John Helmert III <>

 net-news/liferea/Manifest                 |  1 -
 net-news/liferea/liferea-1.12.9-r2.ebuild | 74 -------------------------------
 2 files changed, 75 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:27:35 UTC