Arch Linux: ASA-201708-15 High: Newsbeuter Remote Command Execution

Arch Linux Security Advisory ASA-201708-15
=========================================
Severity: High
Date    : 2017-08-20
CVE-ID  : CVE-2017-12904
Package : newsbeuter
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-384

Summary
======
The package newsbeuter before version 2.9-7 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 2.9-7.

# pacman -Syu "newsbeuter>=2.9-7"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
Don't bookmark items.

Description
==========
An attacker can craft an RSS item with shell code in the title and/or
URL. When such an item is bookmarked, the shell will execute that code.
The vulnerability is triggered when bookmark-cmd is called.

Impact
=====
A remote attacker can execute an arbitrary command on the affected host
by tricking a user into bookmarking a specially crafted RSS item.

References
=========
https://github.com/akrennmair/newsbeuter/issues/591
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE
https://security.archlinux.org/CVE-2017-12904