summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/newsbeuter-CVE-2017-14500.patch43
-rw-r--r--gnu/packages/syndication.scm5
3 files changed, 47 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index bdd49c6182..0b84a72fa6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -883,6 +883,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/netsurf-y2038-tests.patch		\
   %D%/packages/patches/netsurf-longer-test-timeout.patch	\
   %D%/packages/patches/newsbeuter-CVE-2017-12904.patch		\
+  %D%/packages/patches/newsbeuter-CVE-2017-14500.patch		\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
new file mode 100644
index 0000000000..449105e42a
--- /dev/null
+++ b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
@@ -0,0 +1,43 @@
+https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
+
+From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
+From: Alexander Batischev <eual.jp@gmail.com>
+Date: Sat, 16 Sep 2017 19:31:43 +0300
+Subject: [PATCH] Work around shell code in podcast names (#598)
+
+---
+ src/pb_controller.cpp | 6 +++---
+ src/queueloader.cpp   | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp
+index 09b5e897..213216cd 100644
+--- a/src/pb_controller.cpp
++++ b/src/pb_controller.cpp
+@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) {
+ 	if (player == "")
+ 		return;
+ 	cmdline.append(player);
+-	cmdline.append(" \"");
+-	cmdline.append(utils::replace_all(file,"\"", "\\\""));
+-	cmdline.append("\"");
++	cmdline.append(" \'");
++	cmdline.append(utils::replace_all(file,"'", "%27"));
++	cmdline.append("\'");
+ 	stfl::reset();
+ 	LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
+ 	::system(cmdline.c_str());
+diff --git a/src/queueloader.cpp b/src/queueloader.cpp
+index c1dabdd8..ae725e04 100644
+--- a/src/queueloader.cpp
++++ b/src/queueloader.cpp
+@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) {
+ 		strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
+ 		fn.append(lbuf);
+ 	} else {
+-		fn.append(base);
++		fn.append(utils::replace_all(base, "'", "%27"));
+ 	}
+ 	return fn;
+ }
diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm
index 80c45c396c..8ac0524fc6 100644
--- a/gnu/packages/syndication.scm
+++ b/gnu/packages/syndication.scm
@@ -1,4 +1,4 @@
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; GNU Guix is free software; you can redistribute it and/or modify it
 ;;; under the terms of the GNU General Public License as published by
@@ -38,7 +38,8 @@
         (method url-fetch)
         (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
                             version ".tar.gz"))
-        (patches (search-patches "newsbeuter-CVE-2017-12904.patch"))
+        (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
+                                 "newsbeuter-CVE-2017-14500.patch"))
         (sha256
          (base32
           "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))