[arch-commits] Commit in newsbeuter/trunk (2 files)

Sat Sep 16 19:41:15 UTC 2017

Date: Saturday, September 16, 2017 @ 19:41:14
  Author: jelle
Revision: 258570

Add security patches

Added:
  newsbeuter/trunk/newsbeuter-CVE-2017-12904.patch
  newsbeuter/trunk/remote-code-execution-podcast-name.patch

------------------------------------------+
 newsbeuter-CVE-2017-12904.patch          |   19 +++++++++++++++++++
 remote-code-execution-podcast-name.patch |   28 ++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

Added: newsbeuter-CVE-2017-12904.patch
===================================================================

--- newsbeuter-CVE-2017-12904.patch	                        (rev 0)
+++ newsbeuter-CVE-2017-12904.patch	2017-09-16 19:41:14 UTC (rev 258570)
@@ -0,0 +1,19 @@
+diff -aur newsbeuter-r2.9/src/controller.cpp newsbeuter-r2.9.new/src/controller.cpp
+--- newsbeuter-r2.9/src/controller.cpp	2015-02-19 11:56:59.000000000 +0100
++++ newsbeuter-r2.9.new/src/controller.cpp	2017-09-16 21:33:14.568552568 +0200
+@@ -1275,9 +1275,11 @@
+ 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
+ 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
+ 	if (bookmark_cmd.length() > 0) {
+-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
+-		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
+-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
++		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
++		                                       bookmark_cmd.c_str(),
++						       utils::replace_all(url,"'", "%27").c_str(),
++						       utils::replace_all(title,"'", "%27").c_str(),
++						       utils::replace_all(description,"'", "%27").c_str());
+ 
+ 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
+ 
+Only in newsbeuter-r2.9.new/src: .controller.cpp.swp

Added: remote-code-execution-podcast-name.patch
===================================================================
--- remote-code-execution-podcast-name.patch	                        (rev 0)
+++ remote-code-execution-podcast-name.patch	2017-09-16 19:41:14 UTC (rev 258570)
@@ -0,0 +1,28 @@
+diff -aur newsbeuter-r2.9/src/pb_controller.cpp newsbeuter-r2.9.new/src/pb_controller.cpp
+--- newsbeuter-r2.9/src/pb_controller.cpp	2015-02-19 11:56:59.000000000 +0100
++++ newsbeuter-r2.9.new/src/pb_controller.cpp	2017-09-16 20:43:29.180683163 +0200
+@@ -306,9 +306,9 @@
+ 	if (player == "")
+ 		return;
+ 	cmdline.append(player);
+-	cmdline.append(" \"");
+-	cmdline.append(utils::replace_all(file,"\"", "\\\""));
+-	cmdline.append("\"");
++	cmdline.append(" \'");
++	cmdline.append(utils::replace_all(file,"'", "%27"));
++	cmdline.append(" \'");
+ 	stfl::reset();
+ 	LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
+ 	::system(cmdline.c_str());
+diff -aur newsbeuter-r2.9/src/queueloader.cpp newsbeuter-r2.9.new/src/queueloader.cpp
+--- newsbeuter-r2.9/src/queueloader.cpp	2015-02-19 11:56:59.000000000 +0100
++++ newsbeuter-r2.9.new/src/queueloader.cpp	2017-09-16 20:47:01.884411680 +0200
+@@ -130,7 +130,7 @@
+ 		strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
+ 		fn.append(lbuf);
+ 	} else {
+-		fn.append(base);
++		fn.append(utils::replace_all(base, "'", "%27"));
+ 	}
+ 	return fn;
+ }

