newsbeuter before version 2.9-6.97 is vulnerable to arbitrary code execution.
If you use
newsbeuter you should upgrade as soon as possible, or avoid bookmarking items until you upgrade.
Upgrade to 2.9-6.97.
# pacman -Syu “newsbeuter>=2.9-6.97”
Don’t bookmark items.
An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called.
A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item.
Results and feedback
- Working fine for me
- I have an issue… (post below)