Arch Linux Security Advisory ASA-201708-15 ========================================== Severity: High Date : 2017-08-20 CVE-ID : CVE-2017-12904 Package : newsbeuter Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-384 Summary ======= The package newsbeuter before version 2.9-7 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.9-7. # pacman -Syu "newsbeuter>=2.9-7" The problem has been fixed upstream but no release is available yet. Workaround ========== Don't bookmark items. Description =========== An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called. Impact ====== A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item. References ========== https://github.com/akrennmair/newsbeuter/issues/591 https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE https://security.archlinux.org/CVE-2017-12904