Hi, I've prepared a patch fixing CVE-2017-14500[1] in the wheezy version of newsbeuter. Can someone push it to security-master?
Debdiff attached. [1] https://security-tracker.debian.org/tracker/CVE-2017-14500
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog --- newsbeuter-2.5/debian/changelog 2017-08-19 11:04:09.000000000 +0300 +++ newsbeuter-2.5/debian/changelog 2017-09-21 07:44:42.000000000 +0300 @@ -1,3 +1,9 @@ +newsbeuter (2.5-2+deb7u3) wheezy-security; urgency=high + + * Fix RCE in podbeuter (CVE-2017-14500) + + -- Nikos Tsipinakis <[email protected]> Thu, 21 Sep 2017 07:44:42 +0300 + newsbeuter (2.5-2+deb7u2) wheezy-security; urgency=high * Fix RCE vulnerability on bookmark (CVE-2017-12904) diff -Nru newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch --- newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch 1970-01-01 02:00:00.000000000 +0200 +++ newsbeuter-2.5/debian/patches/fix-RCE-in-podbeuter.patch 2017-09-21 07:44:34.000000000 +0300 @@ -0,0 +1,36 @@ +From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001 +From: Alexander Batischev <[email protected]> +Date: Sat, 16 Sep 2017 19:31:43 +0300 +Subject: [PATCH] Work around shell code in podcast names (#598) + +--- + src/pb_controller.cpp | 6 +++--- + src/queueloader.cpp | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/src/pb_controller.cpp ++++ b/src/pb_controller.cpp +@@ -313,9 +313,9 @@ + if (player == "") + return; + cmdline.append(player); +- cmdline.append(" \""); +- cmdline.append(utils::replace_all(file,"\"", "\\\"")); +- cmdline.append("\""); ++ cmdline.append(" \'"); ++ cmdline.append(utils::replace_all(file,"'", "%27")); ++ cmdline.append("\'"); + stfl::reset(); + LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); + ::system(cmdline.c_str()); +--- a/src/queueloader.cpp ++++ b/src/queueloader.cpp +@@ -133,7 +133,7 @@ + strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); + fn.append(lbuf); + } else { +- fn.append(base); ++ fn.append(utils::replace_all(base, "'", "%27")); + } + return fn; + } diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series --- newsbeuter-2.5/debian/patches/series 2017-08-19 11:04:09.000000000 +0300 +++ newsbeuter-2.5/debian/patches/series 2017-09-21 07:44:14.000000000 +0300 @@ -1,3 +1,4 @@ fix_gcc-4.7_ftbfs.patch fix_json_boolean_include.patch fix-RCE-on-bookmark.patch +fix-RCE-in-podbeuter.patch
