mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-27 14:52:05 -05:00
d9f15d7e48
* gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/syndication.scm (newsbeuter)[source]: Use it.
34 lines
1.6 KiB
Diff
34 lines
1.6 KiB
Diff
Fix CVE-2017-12904:
|
|
|
|
https://github.com/akrennmair/newsbeuter/issues/591
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904
|
|
|
|
Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.
|
|
|
|
Adapted from upstream source repository:
|
|
|
|
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
|
|
|
|
Description: Fix a RCE vulnerability in the bookmark command
|
|
Newsbeuter didn't properly escape the title and description fields before
|
|
passing them to the bookmarking program which could lead to remote code
|
|
execution using the shells command substitution functionality (e.g. "$()", ``,
|
|
etc)
|
|
|
|
Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
|
|
Last-Update: 2017-08-18
|
|
|
|
--- newsbeuter-2.9.orig/src/controller.cpp
|
|
+++ newsbeuter-2.9/src/controller.cpp
|
|
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
|
|
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
|
|
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
|
|
if (bookmark_cmd.length() > 0) {
|
|
- std::string cmdline = utils::strprintf("%s '%s' %s %s",
|
|
+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
|
|
bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
|
|
- stfl::quote(title).c_str(), stfl::quote(description).c_str());
|
|
+ utils::replace_all(title,"'", "%27").c_str(),
|
|
+ utils::replace_all(description,"'", "%27").c_str());
|
|
|
|
LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
|