[arch-security] [ASA-201708-15] newsbeuter: arbitrary code execution

Jelle van der Waa jelle at archlinux.org
Mon Aug 21 11:13:38 UTC 2017


Arch Linux Security Advisory ASA-201708-15
==========================================

Severity: High
Date    : 2017-08-20
CVE-ID  : CVE-2017-12904
Package : newsbeuter
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-384

Summary
=======

The package newsbeuter before version 2.9-7 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 2.9-7.

# pacman -Syu "newsbeuter>=2.9-7"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

Don't bookmark items.

Description
===========

An attacker can craft an RSS item with shell code in the title and/or
URL. When such an item is bookmarked, the shell will execute that code.
The vulnerability is triggered when bookmark-cmd is called.

Impact
======

A remote attacker can execute an arbitrary command on the affected host
by tricking a user into bookmarking a specially crafted RSS item.

References
==========

https://github.com/akrennmair/newsbeuter/issues/591
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE
https://security.archlinux.org/CVE-2017-12904
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170821/429f551b/attachment.asc>


More information about the arch-security mailing list