533654 – (CVE-2013-7416) <net-news/canto-curses-0.9.3: Improper Sanitization of URL feeds (CVE-2013-7416)

Bug 533654 (CVE-2013-7416) - <net-news/canto-curses-0.9.3: Improper Sanitization of URL feeds (CVE-2013-7416)

Summary: <net-news/canto-curses-0.9.3: Improper Sanitization of URL feeds (CVE-2013-7416)

Status:	RESOLVED FIXED

Alias:	CVE-2013-7416

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:	548184
Blocks:
	Show dependency tree

Reported:	2014-12-27 02:17 UTC by avx
Modified:	2015-05-01 06:54 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description avx 2014-12-27 02:17:55 UTC

canto-curses and canto-daemon are available in portage as version 0.8.4 (released in march of 2013), upstream released version 0.9.0 of both a few weeks ago.

Reproducible: Always

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2015-01-03 17:53:37 UTC

Canto Curses 0.9.0 contains a security fix, as noted in the next comment.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2015-01-03 17:54:01 UTC

CVE-2013-7416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7416):
  canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed
  servers to execute arbitrary commands via shell metacharacters in a URL in a
  feed.

Comment 3 avx 2015-01-06 16:50:02 UTC

Thanks for picking that up under the security banner, but shouldn't the version in portage get masked for the time being?

Comment 4 Sergey Popov gentoo-dev

2015-05-01 06:54:42 UTC

New versions of canto-curses and canto-daemon are in tree. Old versions was dropped.

Package has never been stable, closing as noglsa