Source: newsbeuter
Version: 2.8-2
Severity: grave
Tags: upstream patch security
Justification: user security hole
Forwarded: https://github.com/akrennmair/newsbeuter/issues/598

Hi,

the following vulnerability was published for newsbeuter.

CVE-2017-14500[0]:
| Improper Neutralization of Special Elements used in an OS Command in
| the podcast playback function of Podbeuter in Newsbeuter 0.3 through
| 2.9 allows remote attackers to perform user-assisted code execution by
| crafting an RSS item with a media enclosure (i.e., a podcast file) that
| includes shell metacharacters in its filename, related to
| pb_controller.cpp and queueloader.cpp, a different vulnerability than
| CVE-2017-12904.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
[1] https://github.com/akrennmair/newsbeuter/issues/598
[2] http://openwall.com/lists/oss-security/2017/09/16/1
[3] 
https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333

Regards,
Salvatore

Reply via email to