[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Patch for newsbeuter - CVE-2017-14500



Hi,

I've prepared a patch fixing CVE-2017-14500[1] in the wheezy version of
newsbeuter. Can someone push it to security-master?

Debdiff attached.

[1] https://security-tracker.debian.org/tracker/CVE-2017-14500
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog
--- newsbeuter-2.5/debian/changelog	2017-08-19 11:04:09.000000000 +0300
+++ newsbeuter-2.5/debian/changelog	2017-09-21 07:44:42.000000000 +0300
@@ -1,3 +1,9 @@
+newsbeuter (2.5-2+deb7u3) wheezy-security; urgency=high
+
+  * Fix RCE in podbeuter (CVE-2017-14500)
+
+ -- Nikos Tsipinakis <nikos@tsipinakis.com>  Thu, 21 Sep 2017 07:44:42 +0300
+
 newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high
 
   * Fix RCE vulnerability on bookmark (CVE-2017-12904)
diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch
--- newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch	1970-01-01 02:00:00.000000000 +0200
+++ newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch	2017-09-21 07:44:34.000000000 +0300
@@ -0,0 +1,36 @@
+From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
+From: Alexander Batischev <eual.jp@gmail.com>
+Date: Sat, 16 Sep 2017 19:31:43 +0300
+Subject: [PATCH] Work around shell code in podcast names (#598)
+
+---
+ src/pb_controller.cpp | 6 +++---
+ src/queueloader.cpp   | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/src/pb_controller.cpp
++++ b/src/pb_controller.cpp
+@@ -313,9 +313,9 @@
+ 	if (player == "")
+ 		return;
+ 	cmdline.append(player);
+-	cmdline.append(" \"");
+-	cmdline.append(utils::replace_all(file,"\"", "\\\""));
+-	cmdline.append("\"");
++	cmdline.append(" \'");
++	cmdline.append(utils::replace_all(file,"'", "%27"));
++	cmdline.append("\'");
+ 	stfl::reset();
+ 	LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
+ 	::system(cmdline.c_str());
+--- a/src/queueloader.cpp
++++ b/src/queueloader.cpp
+@@ -133,7 +133,7 @@
+ 		strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
+ 		fn.append(lbuf);
+ 	} else {
+-		fn.append(base);
++		fn.append(utils::replace_all(base, "'", "%27"));
+ 	}
+ 	return fn;
+ }
diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series
--- newsbeuter-2.5/debian/patches/series	2017-08-19 11:04:09.000000000 +0300
+++ newsbeuter-2.5/debian/patches/series	2017-09-21 07:44:14.000000000 +0300
@@ -1,3 +1,4 @@
 fix_gcc-4.7_ftbfs.patch
 fix_json_boolean_include.patch
 fix-RCE-on-bookmark.patch
+fix-RCE-in-podbeuter.patch

Reply to: