1 files changed, 0 insertions, 34 deletions

diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
deleted file mode 100644
index 8e90502469..0000000000
--- a/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2017-12904:
-
-https://github.com/akrennmair/newsbeuter/issues/591
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904
-
-Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.
-
-Adapted from upstream source repository:
-
-https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
-
-Description: Fix a RCE vulnerability in the bookmark command
- Newsbeuter didn't properly escape the title and description fields before
- passing them to the bookmarking program which could lead to remote code
- execution using the shells command substitution functionality (e.g. "$()", ``,
- etc)
-
-Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
-Last-Update: 2017-08-18
-
---- newsbeuter-2.9.orig/src/controller.cpp
-+++ newsbeuter-2.9/src/controller.cpp
-@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
- 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
- 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
- 	if (bookmark_cmd.length() > 0) {
--		std::string cmdline = utils::strprintf("%s '%s' %s %s",
-+		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
- 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
--		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
-+		                                       utils::replace_all(title,"'", "%27").c_str(),
-+		                                       utils::replace_all(description,"'", "%27").c_str());
- 
- 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());