gnu: newsbeuter: Fix CVE-2017-14500.

* gnu/packages/syndication.scm (newsbeuter)[source]: Add patch.
* gnu/packages/patches/newsbeuter-CVE-2017-14500.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
Efraim Flashner 2017-09-18 22:38:56 +03:00
parent f53e4ada03
commit bbcfd80a20
No known key found for this signature in database
GPG Key ID: 41AAE7DCCA3D8351
3 changed files with 47 additions and 2 deletions

View File

@ -883,6 +883,7 @@ dist_patch_DATA = \
%D%/packages/patches/netsurf-y2038-tests.patch \ %D%/packages/patches/netsurf-y2038-tests.patch \
%D%/packages/patches/netsurf-longer-test-timeout.patch \ %D%/packages/patches/netsurf-longer-test-timeout.patch \
%D%/packages/patches/newsbeuter-CVE-2017-12904.patch \ %D%/packages/patches/newsbeuter-CVE-2017-12904.patch \
%D%/packages/patches/newsbeuter-CVE-2017-14500.patch \
%D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \

View File

@ -0,0 +1,43 @@
https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
From: Alexander Batischev <eual.jp@gmail.com>
Date: Sat, 16 Sep 2017 19:31:43 +0300
Subject: [PATCH] Work around shell code in podcast names (#598)
---
src/pb_controller.cpp | 6 +++---
src/queueloader.cpp | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp
index 09b5e897..213216cd 100644
--- a/src/pb_controller.cpp
+++ b/src/pb_controller.cpp
@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) {
if (player == "")
return;
cmdline.append(player);
- cmdline.append(" \"");
- cmdline.append(utils::replace_all(file,"\"", "\\\""));
- cmdline.append("\"");
+ cmdline.append(" \'");
+ cmdline.append(utils::replace_all(file,"'", "%27"));
+ cmdline.append("\'");
stfl::reset();
LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
::system(cmdline.c_str());
diff --git a/src/queueloader.cpp b/src/queueloader.cpp
index c1dabdd8..ae725e04 100644
--- a/src/queueloader.cpp
+++ b/src/queueloader.cpp
@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) {
strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
fn.append(lbuf);
} else {
- fn.append(base);
+ fn.append(utils::replace_all(base, "'", "%27"));
}
return fn;
}

View File

@ -1,4 +1,4 @@
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; ;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by ;;; under the terms of the GNU General Public License as published by
@ -38,7 +38,8 @@
(method url-fetch) (method url-fetch)
(uri (string-append "https://newsbeuter.org/downloads/newsbeuter-" (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
version ".tar.gz")) version ".tar.gz"))
(patches (search-patches "newsbeuter-CVE-2017-12904.patch")) (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
"newsbeuter-CVE-2017-14500.patch"))
(sha256 (sha256
(base32 (base32
"1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l")))) "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))