Subject: [ASA-201708-15] newsbeuter: arbitrary code execution

Arch Linux Security Advisory ASA-201708-15
==========================================

Severity: High
Date    : 2017-08-20
CVE-ID  : CVE-2017-12904
Package : newsbeuter
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-384

Summary
=======

The package newsbeuter before version 2.9-7 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 2.9-7.

# pacman -Syu "newsbeuter>=2.9-7"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

Don't bookmark items.

Description
===========

Improper Neutralization of Special Elements used in an OS Command in
bookmarking function of Newsbeuter versions 0.7 through 2.9 allows
remote attackers to perform user-assisted shell command execution by
crafting an RSS item that includes shell code in its title and/or URL.
When the user bookmarks such item the shell code will be executed.

Impact
======

A remote attacker can execute an arbitrary command on the affected host
by tricking a user into bookmarking a specially crafted RSS item.

References
==========

https://github.com/akrennmair/newsbeuter/issues/591
https://github.com/akrennmair/newsbeuter/commit/3b84203448f077dff6f83ba986f916884184852c
https://github.com/akrennmair/newsbeuter/commit/d1460189f6f810ca9a3687af7bc43feb7f2af2d9
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE
https://security.archlinux.org/CVE-2017-12904