Your message dated Sun, 12 Mar 2023 21:04:24 +0000 with message-id <e1pbsrg-009h7l...@fasolo.debian.org> and subject line Bug#1032822: fixed in liferea 1.14.1-1 has caused the Debian Bug report #1032822, regarding liferea: CVE-2023-1350: RCE vulnerability on feed enrichment to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032822 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: liferea Version: 1.14.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for liferea. CVE-2023-1350[0]: | A vulnerability was found in liferea. It has been rated as critical. | Affected by this issue is the function update_job_run of the file | src/update.c of the component Feed Enrichment. The manipulation of the | argument source with the input |date &gt;/tmp/bad-item-link.txt | leads to os command injection. The attack may be launched remotely. | The exploit has been disclosed to the public and may be used. The name | of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is | recommended to apply a patch to fix this issue. The identifier of this | vulnerability is VDB-222848. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1350 https://www.cve.org/CVERecord?id=CVE-2023-1350 [1] https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: liferea Source-Version: 1.14.1-1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of liferea, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated liferea package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 12 Mar 2023 21:32:33 +0100 Source: liferea Architecture: source Version: 1.14.1-1 Distribution: unstable Urgency: medium Maintainer: Paul Gevers <elb...@debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 1032822 Changes: liferea (1.14.1-1) unstable; urgency=medium . * New upstream version 1.14.1 Contains fix for CVE-2023-1350 which is a RCE when the option "Extract full content from HTML5 and Google AMP" is enable on a feed (Closes: #1032822) Checksums-Sha1: f6f42984164a2b5bdd29eb605b7bb3237cb7c51e 2014 liferea_1.14.1-1.dsc 9f2c54c502f802eba9ff90473896446576df528c 1833227 liferea_1.14.1.orig.tar.gz f3088131dfe829f8c9e6fc967fb57d1e6b921f2c 29408 liferea_1.14.1-1.debian.tar.xz Checksums-Sha256: efa30e40f234a6d7ac5396331d07b1712bc04ddc0eeee2b436d77fd7039b7a1e 2014 liferea_1.14.1-1.dsc a95bc784e313a8c9fc25284d7daa4b059933f9d96b49340b8192631e6fe7faa3 1833227 liferea_1.14.1.orig.tar.gz 3487e410214e9ec3540e430be23693a4eb1dad14cc40dc653653778049c3b8d7 29408 liferea_1.14.1-1.debian.tar.xz Files: 996a106bff24f4e6e2e2306debc56d59 2014 web optional liferea_1.14.1-1.dsc ac41b8ec6a4e09a8942a91d7373d6516 1833227 web optional liferea_1.14.1.orig.tar.gz b0b75e544a4967420f61939c199ab756 29408 web optional liferea_1.14.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmQOO6sACgkQnFyZ6wW9 dQprqwf8C56KYg7wGmsoHG+eyzlL1Ss+HOtKzyTLZ/EpPB6Meoy7NZiU9fkTaXJn MfLpUF7aX6qn31fzV/s/1Zt2BfcxVnkAz2e2i2lqhyTst+ht/L/yg83PMKnBDbHf JPFyQowxNDi+JkDx85v5DlyVQUVbbJCZQbnYAxbu6cgzS/3KzIUD6s+6dog4IWO4 aeEbWASLYPH/UT9H/8Vh3S5rXY5glNc2WxIodFS1+7UQWnTi3/oDDg6pzli5SY0K xi8vSiCbiqfDSA60niO1mCA3g/EAqr94frPDJhtiuvhOJWKucYjO4ezheRi04tdy v5kyiNECvjxFLCCBTmcmE6o+OCxpqg== =3DOA -----END PGP SIGNATURE-----
--- End Message ---
