From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EBCAF138206 for ; Wed, 17 Jan 2018 13:47:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3FF9FE09CA; Wed, 17 Jan 2018 13:46:54 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 52112E0970 for ; Wed, 17 Jan 2018 13:46:18 +0000 (UTC) Received: from localhost.localdomain (107-1-160-144-ip-static.hfc.comcastbusiness.net [107.1.160.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 9CD47335C30 for ; Wed, 17 Jan 2018 13:46:16 +0000 (UTC) From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Subject: [gentoo-announce] [ GLSA 201801-18 ] Newsbeuter: User-assisted execution of arbitrary code Date: Wed, 17 Jan 2018 08:46:12 -0500 Message-ID: <3285791.M50zSjlTpV@localhost.localdomain> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6163601.ip7Nb6PYzB"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 5cd0f6f2-0ec0-441c-9f4f-ae9841aa2cc6 X-Archives-Hash: 943d0d337bb930cc8b55c215e725c4a9 --nextPart6163601.ip7Nb6PYzB Content-Type: multipart/alternative; boundary="nextPart12351956.ui4cC59eKW" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart12351956.ui4cC59eKW Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Newsbeuter: User-assisted execution of arbitrary code Date: January 17, 2018 Bugs: #628796 ID: 201801-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Insufficient input validation in Newsbeuter may allow remote attackers to execute arbitrary shell commands. Background ========== Newsbeuter is a RSS/Atom feed reader for the text console. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-news/newsbeuter < 2.9-r3 >= 2.9-r3 Description =========== Newsbeuter does not properly escape shell meta-characters in the title and description of RSS feeds when bookmarking. Impact ====== A remote attacker, by enticing a user to open a feed with specially crafted URLs, could possibly execute arbitrary shell commands with the privileges of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All Newsbeuter users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-news/newsbeuter-2.9-r3" References ========== [ 1 ] CVE-2017-12904 https://nvd.nist.gov/vuln/detail/CVE-2017-12904 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-18 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= --nextPart12351956.ui4cC59eKW Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201801-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Newsbeuter: User-assisted execution of arbitrary code

Date: January 17, 2018

Bugs: #628796

ID: 201801-18

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Insufficient input validation in Newsbeuter may allow remote attackers

to execute arbitrary shell commands.

 

Background

==========

 

Newsbeuter is a RSS/Atom feed reader for the text console.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 net-news/newsbeuter < 2.9-r3 >= 2.9-r3

 

Description

===========

 

Newsbeuter does not properly escape shell meta-characters in the title

and description of RSS feeds when bookmarking.

 

Impact

======

 

A remote attacker, by enticing a user to open a feed with specially

crafted URLs, could possibly execute arbitrary shell commands with the

privileges of the user running the application.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Newsbeuter users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=net-news/newsbeuter-2.9-r3"

 

References

==========

 

[ 1 ] CVE-2017-12904

https://nvd.nist.gov/vuln/detail/CVE-2017-12904

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

https://security.gentoo.org/glsa/201801-18

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security@gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2018 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

https://creativecommons.org/licenses/by-sa/2.5

--nextPart12351956.ui4cC59eKW-- --nextPart6163601.ip7Nb6PYzB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlpfU6QACgkQpRQw84X1 dt06+QgAhnmfKakcSKZ9iEogISG8hbLZ3S5WndL/X9XiOMmSmibUuV9kye3FjFdp j1WUVOWeOJcDoMnj+nsp8T5m/dsv51krAbryia1a8sDa295njK0LjZbiEt9jTNKW sPlxTQQl31UjfsqDW2skYGnxsJxXFfX5FQ8VZHFMN7LA7/C098PiW6c7gODn0Wcj 1Uhu6Facvstxe5AmRT4uaIIavi7za+8BPxevKBrwiheqNLZkj451dZ5IZw2qPde4 FkAuX3500twfdRckuk4y48t0MWutkaPGYeheSnIteawzQ3ZlKFYLz/VLDQuW9Gqt 4pbrSFZ0fs5aiTwpU6eRL3sTIstRhA== =/gFZ -----END PGP SIGNATURE----- --nextPart6163601.ip7Nb6PYzB--