diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/newsbeuter-CVE-2017-12904.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch new file mode 100644 index 0000000000..8e90502469 --- /dev/null +++ b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch @@ -0,0 +1,34 @@ +Fix CVE-2017-12904: + +https://github.com/akrennmair/newsbeuter/issues/591 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904 + +Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1. + +Adapted from upstream source repository: + +https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 + +Description: Fix a RCE vulnerability in the bookmark command + Newsbeuter didn't properly escape the title and description fields before + passing them to the bookmarking program which could lead to remote code + execution using the shells command substitution functionality (e.g. "$()", ``, + etc) + +Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 +Last-Update: 2017-08-18 + +--- newsbeuter-2.9.orig/src/controller.cpp ++++ newsbeuter-2.9/src/controller.cpp +@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s + std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); + bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); + if (bookmark_cmd.length() > 0) { +- std::string cmdline = utils::strprintf("%s '%s' %s %s", ++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", + bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), +- stfl::quote(title).c_str(), stfl::quote(description).c_str()); ++ utils::replace_all(title,"'", "%27").c_str(), ++ utils::replace_all(description,"'", "%27").c_str()); + + LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); |