Source: newsbeuter Version: 2.8-2 Severity: grave Tags: upstream patch security Justification: user security hole Forwarded: https://github.com/akrennmair/newsbeuter/issues/598
Hi, the following vulnerability was published for newsbeuter. CVE-2017-14500[0]: | Improper Neutralization of Special Elements used in an OS Command in | the podcast playback function of Podbeuter in Newsbeuter 0.3 through | 2.9 allows remote attackers to perform user-assisted code execution by | crafting an RSS item with a media enclosure (i.e., a podcast file) that | includes shell metacharacters in its filename, related to | pb_controller.cpp and queueloader.cpp, a different vulnerability than | CVE-2017-12904. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 [1] https://github.com/akrennmair/newsbeuter/issues/598 [2] http://openwall.com/lists/oss-security/2017/09/16/1 [3] https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 Regards, Salvatore
