CVE-2017-12904 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary command execution
Description	Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted shell command execution by crafting an RSS item that includes shell code in its title and/or URL. When the user bookmarks such item the shell code will be executed.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-401	newsbeuter	2.9-7	2.9-8	High	Fixed
AVG-384	newsbeuter	2.9-6	2.9-7	High	Fixed

Date	Advisory	Group	Package	Severity	Type
16 Sep 2017	ASA-201709-11	AVG-401	newsbeuter	High	arbitrary command execution
20 Aug 2017	ASA-201708-15	AVG-384	newsbeuter	High	arbitrary code execution

References
https://github.com/akrennmair/newsbeuter/issues/591 https://github.com/akrennmair/newsbeuter/commit/3b84203448f077dff6f83ba986f916884184852c https://github.com/akrennmair/newsbeuter/commit/d1460189f6f810ca9a3687af7bc43feb7f2af2d9 https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE

References

https://github.com/akrennmair/newsbeuter/issues/591
https://github.com/akrennmair/newsbeuter/commit/3b84203448f077dff6f83ba986f916884184852c
https://github.com/akrennmair/newsbeuter/commit/d1460189f6f810ca9a3687af7bc43feb7f2af2d9
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE

Notes
Do not use bookmarking until you apply the fix. See the comment below for details.