Package: newsbeuter / 2.9-8

23-fix-RCE-on-bookmark.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Description: Fix a RCE vulnerability on the bookmark command
 Newsbeuter didn't properly escape the title and description fields before
 passing them to the bookmarking program which could lead to remote code
 execution using the shells command substitution functionality (e.g. "$()", ``,
 etc)

Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

--- newsbeuter-2.9.orig/src/controller.cpp
+++ newsbeuter-2.9/src/controller.cpp
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
 	if (bookmark_cmd.length() > 0) {
-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
+		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
+		                                       utils::replace_all(title,"'", "%27").c_str(),
+		                                       utils::replace_all(description,"'", "%27").c_str());
 
 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());