ArchLinux: 201708-15: newsbeuter: arbitrary code execution
Summary
An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called.
Resolution
Upgrade to 2.9-7.
# pacman -Syu "newsbeuter>=2.9-7"
The problem has been fixed upstream but no release is available yet.
References
https://github.com/akrennmair/newsbeuter/issues/591 https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE https://security.archlinux.org/CVE-2017-12904
Workaround
Don't bookmark items.