Re: Wheezy update of newsbeuter?

To: Ola Lundqvist <ola@inguza.com>
Cc: debian-lts@lists.debian.org
Subject: Re: Wheezy update of newsbeuter?
From: Nikos Tsipinakis <nikos@tsipinakis.com>
Date: Sat, 19 Aug 2017 11:27:56 +0300
Message-id: <[🔎] 20170819082756.yavnziqshvayvc7j@tsipinakis.com>
Mail-followup-to: Ola Lundqvist <ola@inguza.com>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20170819074150.jx7pwhvhvni3vyiy@inguza.net>
References: <[🔎] 20170819074150.jx7pwhvhvni3vyiy@inguza.net>

Hello,

I unfortunately don't currently have the time or access (not a DD so can't
upload directly to security-master) to follow the workflow you linked.

However the patch for the jessie version applies to the wheezy version as well
so I have prepared a marginally tested (i.e. I made sure that it fixes the
vulnerability as described) package, see the attached debdiff.

- Nikos

diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog
--- newsbeuter-2.5/debian/changelog	2014-02-27 15:43:15.000000000 +0200
+++ newsbeuter-2.5/debian/changelog	2017-08-19 11:04:09.000000000 +0300
@@ -1,3 +1,9 @@
+newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high
+
+  * Fix RCE vulnerability on bookmark (CVE-2017-12904)
+
+ -- Nikos Tsipinakis <nikos@tsipinakis.com>  Sat, 19 Aug 2017 11:04:09 +0300
+
 newsbeuter (2.5-2+deb7u1) stable; urgency=low
 
   * Fix FTBFS issue due to json's switch from boolean to json_bool (Closes: #689225)
diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch
--- newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch	1970-01-01 02:00:00.000000000 +0200
+++ newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch	2017-08-19 11:04:09.000000000 +0300
@@ -0,0 +1,25 @@
+Description: Fix a RCE vulnerability on the bookmark command
+ Newsbeuter didn't properly escape the title and description fields before
+ passing them to the bookmarking program which could lead to remote code
+ execution using the shells command substitution functionality (e.g. "$()", ``,
+ etc)
+
+Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
+Last-Update: 2017-08-17
+
+--- a/src/controller.cpp
++++ b/src/controller.cpp
+@@ -1240,9 +1240,10 @@
+ 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
+ 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
+ 	if (bookmark_cmd.length() > 0) {
+-		std::string cmdline = utils::strprintf("%s '%s' %s %s", 
+-			bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), 
+-			stfl::quote(title).c_str(), stfl::quote(description).c_str());
++		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
++			bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
++			utils::replace_all(title,"'", "%27").c_str(),
++			utils::replace_all(description,"'", "%27").c_str());
+ 
+ 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
+ 
diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series
--- newsbeuter-2.5/debian/patches/series	2014-02-27 15:42:37.000000000 +0200
+++ newsbeuter-2.5/debian/patches/series	2017-08-19 11:04:09.000000000 +0300
@@ -1,2 +1,3 @@
 fix_gcc-4.7_ftbfs.patch
 fix_json_boolean_include.patch
+fix-RCE-on-bookmark.patch

Reply to:

Follow-Ups:
- Re: Wheezy update of newsbeuter?
  - From: Thorsten Alteholz <debian@alteholz.de>

References:
- Wheezy update of newsbeuter?
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Wheezy update of newsbeuter?
Next by Date: Re: Wheezy update of newsbeuter?
Previous by thread: Wheezy update of newsbeuter?
Next by thread: Re: Wheezy update of newsbeuter?
Index(es):
- Date
- Thread