Hello, I unfortunately don't currently have the time or access (not a DD so can't upload directly to security-master) to follow the workflow you linked.
However the patch for the jessie version applies to the wheezy version as well so I have prepared a marginally tested (i.e. I made sure that it fixes the vulnerability as described) package, see the attached debdiff. - Nikos
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog --- newsbeuter-2.5/debian/changelog 2014-02-27 15:43:15.000000000 +0200 +++ newsbeuter-2.5/debian/changelog 2017-08-19 11:04:09.000000000 +0300 @@ -1,3 +1,9 @@ +newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high + + * Fix RCE vulnerability on bookmark (CVE-2017-12904) + + -- Nikos Tsipinakis <[email protected]> Sat, 19 Aug 2017 11:04:09 +0300 + newsbeuter (2.5-2+deb7u1) stable; urgency=low * Fix FTBFS issue due to json's switch from boolean to json_bool (Closes: #689225) diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch --- newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch 1970-01-01 02:00:00.000000000 +0200 +++ newsbeuter-2.5/debian/patches/fix-RCE-on-bookmark.patch 2017-08-19 11:04:09.000000000 +0300 @@ -0,0 +1,25 @@ +Description: Fix a RCE vulnerability on the bookmark command + Newsbeuter didn't properly escape the title and description fields before + passing them to the bookmarking program which could lead to remote code + execution using the shells command substitution functionality (e.g. "$()", ``, + etc) + +Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 +Last-Update: 2017-08-17 + +--- a/src/controller.cpp ++++ b/src/controller.cpp +@@ -1240,9 +1240,10 @@ + std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); + bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); + if (bookmark_cmd.length() > 0) { +- std::string cmdline = utils::strprintf("%s '%s' %s %s", +- bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), +- stfl::quote(title).c_str(), stfl::quote(description).c_str()); ++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", ++ bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), ++ utils::replace_all(title,"'", "%27").c_str(), ++ utils::replace_all(description,"'", "%27").c_str()); + + LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); + diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series --- newsbeuter-2.5/debian/patches/series 2014-02-27 15:42:37.000000000 +0200 +++ newsbeuter-2.5/debian/patches/series 2017-08-19 11:04:09.000000000 +0300 @@ -1,2 +1,3 @@ fix_gcc-4.7_ftbfs.patch fix_json_boolean_include.patch +fix-RCE-on-bookmark.patch
