Re: Wheezy update of newsbeuter?
Hello,
I unfortunately don't currently have the time or access (not a DD so can't
upload directly to security-master) to follow the workflow you linked.
However the patch for the jessie version applies to the wheezy version as well
so I have prepared a marginally tested (i.e. I made sure that it fixes the
vulnerability as described) package, see the attached debdiff.
- Nikos
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog
--- newsbeuter-2.5/debian/changelog 2014-02-27 15:43:15.000000000 +0200
+++ newsbeuter-2.5/debian/changelog 2017-08-19 11:04:09.000000000 +0300
@@ -1,3 +1,9 @@
+newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high
+
+ * Fix RCE vulnerability on bookmark (CVE-2017-12904)
+
+ -- Nikos Tsipinakis <nikos@tsipinakis.com> Sat, 19 Aug 2017 11:04:09 +0300
+
newsbeuter (2.5-2+deb7u1) stable; urgency=low
* Fix FTBFS issue due to json's switch from boolean to json_bool (Closes: #689225)
diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch
--- newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch 1970-01-01 02:00:00.000000000 +0200
+++ newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch 2017-08-19 11:04:09.000000000 +0300
@@ -0,0 +1,25 @@
+Description: Fix a RCE vulnerability on the bookmark command
+ Newsbeuter didn't properly escape the title and description fields before
+ passing them to the bookmarking program which could lead to remote code
+ execution using the shells command substitution functionality (e.g. "$()", ``,
+ etc)
+
+Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
+Last-Update: 2017-08-17
+
+--- a/src/controller.cpp
++++ b/src/controller.cpp
+@@ -1240,9 +1240,10 @@
+ std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
+ bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
+ if (bookmark_cmd.length() > 0) {
+- std::string cmdline = utils::strprintf("%s '%s' %s %s",
+- bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
+- stfl::quote(title).c_str(), stfl::quote(description).c_str());
++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
++ bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
++ utils::replace_all(title,"'", "%27").c_str(),
++ utils::replace_all(description,"'", "%27").c_str());
+
+ LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
+
diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series
--- newsbeuter-2.5/debian/patches/series 2014-02-27 15:42:37.000000000 +0200
+++ newsbeuter-2.5/debian/patches/series 2017-08-19 11:04:09.000000000 +0300
@@ -1,2 +1,3 @@
fix_gcc-4.7_ftbfs.patch
fix_json_boolean_include.patch
+fix-RCE-on-bookmark.patch
Reply to: