[Stable Update] 2017-08-21 - newsbeuter security update

update
stable
security

#1

Summary

The package newsbeuter before version 2.9-6.97 is vulnerable to arbitrary code execution.

If you use newsbeuter you should upgrade as soon as possible, or avoid bookmarking items until you upgrade.

Resolution

Upgrade to 2.9-6.97.

# pacman -Syu “newsbeuter>=2.9-6.97”

Workaround

Don’t bookmark items.

Description

An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called.

Impact

A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item.

References

https://github.com/akrennmair/newsbeuter/issues/591
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE
https://security.archlinux.org/CVE-2017-12904

Results and feedback

  • Working fine for me
  • I have an issue… (post below)

0 voters


#2

Unfortunately, newsbeuter is all but completely abandoned by its author and it is suffering from very poor maintenance. Despite minoru’s best intentions, all sorts of bugs go unresolved. Some introduced by completely unnecessary code refactoring changes in the 2.9 version (like the completely unnecessary and poorly tested move to string variadic templates). From a security point of view, this application is a bit of a threat these days. And it pains me to say that my favorite rss reader is something I advise against. Just don’t use newsbeuter.

Anyways, upgrade went without any problems.


#3

This got reverted by todays update …


#4

Yep, this got reverted by my update today. newsbeuter 2.9-7 is in unstable and will be now moved to testing.


#5

2.9-7 was already in testing, so it’s now in stable too.


#6

Ok, then it is fine :wink:


#7

Your comment about the lack of maintenance of newsbeuter caused me some concern. However, today a fork, newsboat, has become available in the unstable branch. The update asked if I wished to replace newbeuter, which I did. Functionally it is the same.

https://newsboat.org/


#8