RCE vulnerability in Liferea feed enrichment and discovery

Liferea packages available in all currently supported versions of Ubuntu have two related remote code execution vulnerabilities that allow malicious websites to run arbitrary commands in the target system.

I found them when debugging a failure that caused the feed enrichment feature to save the results incorrectly, then informed upstream privately and sent two tentative patches. They are both in the upstream master branch now (https://github.com/lwindolf/liferea/ , commits 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 and 1981e1e161cde4896592ebca40fa3b115f0053ef).

These patches need backporting, I'm a bit short on time but working with upstream on this.

--- Affected versions ---

liferea/bionic 1.12.2-1
liferea/focal 1.12.7-1build1
liferea/jammy 1.13.7-2build1
liferea/kinetic 1.13.9-1
liferea/lunar 1.14.0-1

--- Detailed description and PoC ---

Both failures happen when Liferea ends up accepting command feeds from a malicious website and runs them locally, with the same privileges of the current user. The entry points, however, are different:

- The first one can itself be triggered in two different ways (does it count as three bugs? Not sure, but it's the same fix) and happens when using the feed enrichment feature, both from HTML5 and from AMP. Trying to run it after option "Extract full content from HTML5 and Google AMP" is enabled in a subscription that produces this item:

    <item>
      <title>Check /tmp/bad-item-link.txt</title>
      <link>|date &gt;/tmp/bad-item-link.txt</link>
    </item>

will cause Liferea to call update_request_new on URL "|date >/tmp/bad-item-link.txt" and then blindly run the command. A similar effect happens when running the feed enrichment in a item that links to a document like this:

    <!DOCTYPE html>
    <html>
     <head>
      <title>AMP URL RCE PoC</title>
      <link rel="amphtml" href="|date &gt; /tmp/bad-amp-url.txt">
     </head>
     <body>
         Check the results in /tmp/bad-amp-url.txt
     </body>
    </html>

once Liferea tries to load the AMP URL. There are detailed instructions and demos in the directory "feed-enrichment-poc" from the poc tarball. My patch just locks the command feeds feature behind a non-persistent flag in the update functions, so it must be enabled for every request. It will also protect against this failure in other uses where command feeds are not expected. This seemed better than put it in the updateOptions, as these are typically copied for downloading other documents related to the feed.

- The second one happens on feed discovery when the site returns a document like this:

    <!DOCTYPE html>
    <html>
     <head>
      <title>Feed auto-discovery RCE PoC</title>
      <link rel="alternate" type="application/rss+xml" href="|date &gt;/tmp/bad-feed-discovery.txt">
     </head>
     <body>
     Oooops.
     </body>
    </html>

The sequence of failure is a bit tricky and is ultimately caused by libxml2 functions xmlURIEscape and xmlBuildURI failing to handle URL parts with a special characters (like "|") and LF functions common_uri_escape and common_build_url coping with that by returning a copy of the original string. There is a demo for it in directory "feed-discovery-poc/" from the poc tarball.