Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 439
Alerts This Week
Warning Icon 1 439

Gentoo: GLSA-201803-04 Normal: Newsbeuter Remote Shell Command Execution

gentoo
Calendar Grey March 11, 2018
Dist Gentoo Esm H88
A security vulnerability in Newsbeuter allows external actors to run shell scripts remotely. Explore the advisory for updates and the possible repercussions of this issue
A vulnerability in Newsbeuter may allow remote attackers to execute arbitrary shell commands.

Summary

Newsbeuter does not properly escape shell meta-characters in an RSS item with a media enclosure in the podcast playback function of Podbeuter.

Resolution

Gentoo has discontinued support for Newsbeuter and recommends that users unmerge the package: # emerge --unmerge "net-news/newsbeuter"


References

[ 1 ] CVE-2017-14500 https://nvd.nist.gov/vuln/detail/CVE-2017-14500

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201803-04
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Newsbeuter: User-assisted execution of arbitrary code
Date: March 11, 2018
Bugs: #631150
ID: 201803-04

Synopsis

A vulnerability in Newsbeuter may allow remote attackers to execute arbitrary shell commands.

Background

Newsbeuter is a RSS/Atom feed reader for the text console.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-news/newsbeuter <= 2.9-r3 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers.

Impact

===== A remote attacker, by enticing a user to open a feed with a specially crafted media enclosure, could possibly execute arbitrary shell commands with the privileges of the user running the application.

Workaround

There is no known workaround at this time.