GNU bug report logs -
#28143
[PATCH] gnu: newsbeuter: Fix CVE-2017-12904.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Fri, 18 Aug 2017 20:48:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28143 in the body.
You can then email your comments to 28143 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28143; Package
guix-patches.
(Fri, 18 Aug 2017 20:48:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 18 Aug 2017 20:48:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/syndication.scm (newsbeuter)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/newsbeuter-CVE-2017-12904.patch | 34 ++++++++++++++++++++++
gnu/packages/syndication.scm | 2 ++
3 files changed, 37 insertions(+)
create mode 100644 gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c37d4b220..8e4e29bdd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -879,6 +879,7 @@ dist_patch_DATA = \
%D%/packages/patches/netsurf-system-utf8proc.patch \
%D%/packages/patches/netsurf-y2038-tests.patch \
%D%/packages/patches/netsurf-longer-test-timeout.patch \
+ %D%/packages/patches/newsbeuter-CVE-2017-12904.patch \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/node-9077.patch \
diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
new file mode 100644
index 000000000..8e9050246
--- /dev/null
+++ b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
@@ -0,0 +1,34 @@
+Fix CVE-2017-12904:
+
+https://github.com/akrennmair/newsbeuter/issues/591
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904
+
+Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.
+
+Adapted from upstream source repository:
+
+https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
+
+Description: Fix a RCE vulnerability in the bookmark command
+ Newsbeuter didn't properly escape the title and description fields before
+ passing them to the bookmarking program which could lead to remote code
+ execution using the shells command substitution functionality (e.g. "$()", ``,
+ etc)
+
+Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
+Last-Update: 2017-08-18
+
+--- newsbeuter-2.9.orig/src/controller.cpp
++++ newsbeuter-2.9/src/controller.cpp
+@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
+ std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
+ bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
+ if (bookmark_cmd.length() > 0) {
+- std::string cmdline = utils::strprintf("%s '%s' %s %s",
++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
+ bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
+- stfl::quote(title).c_str(), stfl::quote(description).c_str());
++ utils::replace_all(title,"'", "%27").c_str(),
++ utils::replace_all(description,"'", "%27").c_str());
+
+ LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm
index f43400665..80c45c396 100644
--- a/gnu/packages/syndication.scm
+++ b/gnu/packages/syndication.scm
@@ -18,6 +18,7 @@
#:use-module (guix download)
#:use-module (guix packages)
#:use-module (guix build-system gnu)
+ #:use-module (gnu packages)
#:use-module (gnu packages curl)
#:use-module (gnu packages databases)
#:use-module (gnu packages gettext)
@@ -37,6 +38,7 @@
(method url-fetch)
(uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
version ".tar.gz"))
+ (patches (search-patches "newsbeuter-CVE-2017-12904.patch"))
(sha256
(base32
"1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))
--
2.14.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#28143; Package
guix-patches.
(Fri, 18 Aug 2017 20:56:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 28143 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> * gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/syndication.scm (newsbeuter)[source]: Use it.
LGTM, thanks!
[signature.asc (application/pgp-signature, inline)]
bug closed, send any further explanations to
28143 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Fri, 18 Aug 2017 21:26:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 16 Sep 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 5 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.