me/guix
Archived
1
0
Fork 0
Code Activity

gnu: newsbeuter: Fix CVE-2017-12904.

Browse source 
* gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/syndication.scm (newsbeuter)[source]: Use it.
This commit is contained in:
Leo Famulari 2017-08-18 16:33:04 -04:00
parent 8c0c0c4def
commit d9f15d7e48
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 37 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -879,6 +879,7 @@ dist_patch_DATA = \
%D%/packages/patches/netsurf-system-utf8proc.patch \ %D%/packages/patches/netsurf-system-utf8proc.patch \
%D%/packages/patches/netsurf-y2038-tests.patch \ %D%/packages/patches/netsurf-y2038-tests.patch \
%D%/packages/patches/netsurf-longer-test-timeout.patch \ %D%/packages/patches/netsurf-longer-test-timeout.patch \
%D%/packages/patches/newsbeuter-CVE-2017-12904.patch \
%D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/node-9077.patch \ %D%/packages/patches/node-9077.patch \

34
gnu/packages/patches/newsbeuter-CVE-2017-12904.patch Normal file
View file

@ -0,0 +1,34 @@
Fix CVE-2017-12904:
https://github.com/akrennmair/newsbeuter/issues/591
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904
Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.
Adapted from upstream source repository:
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
Description: Fix a RCE vulnerability in the bookmark command
Newsbeuter didn't properly escape the title and description fields before
passing them to the bookmarking program which could lead to remote code
execution using the shells command substitution functionality (e.g. "$()", ``,
etc)
Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
Last-Update: 2017-08-18
--- newsbeuter-2.9.orig/src/controller.cpp
+++ newsbeuter-2.9/src/controller.cpp
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
if (bookmark_cmd.length() > 0) {
- std::string cmdline = utils::strprintf("%s '%s' %s %s",
+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
- stfl::quote(title).c_str(), stfl::quote(description).c_str());
+ utils::replace_all(title,"'", "%27").c_str(),
+ utils::replace_all(description,"'", "%27").c_str());
LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());

2
gnu/packages/syndication.scm
View file

@ -18,6 +18,7 @@
#:use-module (guix download) #:use-module (guix download)
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (guix build-system gnu) #:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages curl) #:use-module (gnu packages curl)
#:use-module (gnu packages databases) #:use-module (gnu packages databases)
#:use-module (gnu packages gettext) #:use-module (gnu packages gettext)
@ -37,6 +38,7 @@
(method url-fetch) (method url-fetch)
(uri (string-append "https://newsbeuter.org/downloads/newsbeuter-" (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
version ".tar.gz")) version ".tar.gz"))
(patches (search-patches "newsbeuter-CVE-2017-12904.patch"))
(sha256 (sha256
(base32 (base32
"1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l")))) "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))