Bug 1483363 - [CVE-2017-12904] Remote code execution in newsbeuter
Summary: [CVE-2017-12904] Remote code execution in newsbeuter
Keywords:
Status: CLOSED DUPLICATE of bug 1484519
Alias: None
Product: Fedora
Classification: Fedora
Component: newsbeuter
Version: 26
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Ben Boeckel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-21 00:22 UTC by Timo Trinks
Modified: 2017-08-31 13:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-31 13:17:53 UTC
Type: Bug


Attachments (Terms of Use)

Description Timo Trinks 2017-08-21 00:22:53 UTC
Description of problem:

Jeriko One discovered a vulnerability that allows a remote attacker to execute arbitrary code on your computer.

An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.

Version-Release number of selected component (if applicable):

Newsbeuter versions 0.7 through 2.9 are affected.

How reproducible:

Always.

[...]

Additional info:

https://github.com/akrennmair/newsbeuter/issues/591

Comment 1 Andrej Nemec 2017-08-31 13:17:53 UTC

*** This bug has been marked as a duplicate of bug 1484519 ***


Note You need to log in before you can comment on or make changes to this bug.