Patch for newsbeuter - CVE-2017-14500
Hi,
I've prepared a patch fixing CVE-2017-14500[1] in the wheezy version of
newsbeuter. Can someone push it to security-master?
Debdiff attached.
[1] https://security-tracker.debian.org/tracker/CVE-2017-14500
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog
--- newsbeuter-2.5/debian/changelog 2017-08-19 11:04:09.000000000 +0300
+++ newsbeuter-2.5/debian/changelog 2017-09-21 07:44:42.000000000 +0300
@@ -1,3 +1,9 @@
+newsbeuter (2.5-2+deb7u3) wheezy-security; urgency=high
+
+ * Fix RCE in podbeuter (CVE-2017-14500)
+
+ -- Nikos Tsipinakis <nikos@tsipinakis.com> Thu, 21 Sep 2017 07:44:42 +0300
+
newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high
* Fix RCE vulnerability on bookmark (CVE-2017-12904)
diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch
--- newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch 1970-01-01 02:00:00.000000000 +0200
+++ newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch 2017-09-21 07:44:34.000000000 +0300
@@ -0,0 +1,36 @@
+From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
+From: Alexander Batischev <eual.jp@gmail.com>
+Date: Sat, 16 Sep 2017 19:31:43 +0300
+Subject: [PATCH] Work around shell code in podcast names (#598)
+
+---
+ src/pb_controller.cpp | 6 +++---
+ src/queueloader.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/src/pb_controller.cpp
++++ b/src/pb_controller.cpp
+@@ -313,9 +313,9 @@
+ if (player == "")
+ return;
+ cmdline.append(player);
+- cmdline.append(" \"");
+- cmdline.append(utils::replace_all(file,"\"", "\\\""));
+- cmdline.append("\"");
++ cmdline.append(" \'");
++ cmdline.append(utils::replace_all(file,"'", "%27"));
++ cmdline.append("\'");
+ stfl::reset();
+ LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
+ ::system(cmdline.c_str());
+--- a/src/queueloader.cpp
++++ b/src/queueloader.cpp
+@@ -133,7 +133,7 @@
+ strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
+ fn.append(lbuf);
+ } else {
+- fn.append(base);
++ fn.append(utils::replace_all(base, "'", "%27"));
+ }
+ return fn;
+ }
diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series
--- newsbeuter-2.5/debian/patches/series 2017-08-19 11:04:09.000000000 +0300
+++ newsbeuter-2.5/debian/patches/series 2017-09-21 07:44:14.000000000 +0300
@@ -1,3 +1,4 @@
fix_gcc-4.7_ftbfs.patch
fix_json_boolean_include.patch
fix-RCE-on-bookmark.patch
+fix-RCE-in-podbeuter.patch
Reply to: