Bug 1483363 - [CVE-2017-12904] Remote code execution in newsbeuter
Summary: [CVE-2017-12904] Remote code execution in newsbeuter
Status: CLOSED DUPLICATE of bug 1484519
Alias: None
Product: Fedora
Classification: Fedora
Component: newsbeuter
Version: 26
Hardware: All
OS: All
Target Milestone: ---
Assignee: Ben Boeckel
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-08-21 00:22 UTC by Timo Trinks
Modified: 2017-08-31 13:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-31 13:17:53 UTC
Type: Bug

Attachments (Terms of Use)

Description Timo Trinks 2017-08-21 00:22:53 UTC
Description of problem:

Jeriko One discovered a vulnerability that allows a remote attacker to execute arbitrary code on your computer.

An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.

Version-Release number of selected component (if applicable):

Newsbeuter versions 0.7 through 2.9 are affected.

How reproducible:



Additional info:


Comment 1 Andrej Nemec 2017-08-31 13:17:53 UTC

*** This bug has been marked as a duplicate of bug 1484519 ***

Note You need to log in before you can comment on or make changes to this bug.