1483363 – [CVE-2017-12904] Remote code execution in newsbeuter

Bug 1483363 - [CVE-2017-12904] Remote code execution in newsbeuter

Summary: [CVE-2017-12904] Remote code execution in newsbeuter

Keywords:
Status:	CLOSED DUPLICATE of bug 1484519
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	newsbeuter
Sub Component:
Version:	26
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Ben Boeckel
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-21 00:22 UTC by Timo Trinks
Modified:	2017-08-31 13:17 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-08-31 13:17:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Timo Trinks 2017-08-21 00:22:53 UTC

Description of problem:

Jeriko One discovered a vulnerability that allows a remote attacker to execute arbitrary code on your computer.

An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.

Version-Release number of selected component (if applicable):

Newsbeuter versions 0.7 through 2.9 are affected.

How reproducible:

Always.

[...]

Additional info:

https://github.com/akrennmair/newsbeuter/issues/591

Comment 1 Andrej Nemec 2017-08-31 13:17:53 UTC


*** This bug has been marked as a duplicate of bug 1484519 ***

Note You need to log in before you can comment on or make changes to this bug.