guix-devel/gnu/packages/patches/newsbeuter-CVE-2017-12904.p...

Fix CVE-2017-12904:

https://github.com/akrennmair/newsbeuter/issues/591
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904

Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.

Adapted from upstream source repository:

https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

Description: Fix a RCE vulnerability in the bookmark command
 Newsbeuter didn't properly escape the title and description fields before
 passing them to the bookmarking program which could lead to remote code
 execution using the shells command substitution functionality (e.g. "$()", ``,
 etc)

Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
Last-Update: 2017-08-18

--- newsbeuter-2.9.orig/src/controller.cpp
+++ newsbeuter-2.9/src/controller.cpp
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
 	if (bookmark_cmd.length() > 0) {
-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
+		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
+		                                       utils::replace_all(title,"'", "%27").c_str(),
+		                                       utils::replace_all(description,"'", "%27").c_str());
 
 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
gnu: newsbeuter: Fix CVE-2017-12904. * gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/syndication.scm (newsbeuter)[source]: Use it. 2017-08-18 22:33:04 +02:00			`Fix CVE-2017-12904:`

			`https://github.com/akrennmair/newsbeuter/issues/591`
			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904`

			`Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.`

			`Adapted from upstream source repository:`

			`https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307`

			`Description: Fix a RCE vulnerability in the bookmark command`
			`Newsbeuter didn't properly escape the title and description fields before`
			`passing them to the bookmarking program which could lead to remote code`
			execution using the shells command substitution functionality (e.g. "$()", ``,
			`etc)`

			`Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307`
			`Last-Update: 2017-08-18`

			`--- newsbeuter-2.9.orig/src/controller.cpp`
			`+++ newsbeuter-2.9/src/controller.cpp`
			`@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s`
			`std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");`
			`bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");`
			`if (bookmark_cmd.length() > 0) {`
			`- std::string cmdline = utils::strprintf("%s '%s' %s %s",`
			`+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",`
			`bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),`
			`- stfl::quote(title).c_str(), stfl::quote(description).c_str());`
			`+ utils::replace_all(title,"'", "%27").c_str(),`
			`+ utils::replace_all(description,"'", "%27").c_str());`

			`LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());`