Ubuntu
newsbeuter package

[CVE-2008-3907] Arbitrary code execution by crafted item URLs

Bug #275019 reported by William Grant on 2008-09-27

256

	Status	Importance	Assigned to
newsbeuter (Ubuntu)	Fix Released	High	William Grant
Hardy	Fix Released	High	William Grant
Intrepid	Fix Released	High	William Grant

Bug Description

Binary package hint: newsbeuter

"The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."

I've requested a sync for Intrepid, and am preparing a patch for Hardy.

CVE References

2008-3907

William Grant (wgrant) on 2008-09-27

Changed in newsbeuter:
assignee:	nobody → wgrant
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → wgrant
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

William Grant (wgrant) wrote on 2008-09-27:

hardy debdiff Edit (1.6 KiB, text/plain)

Here's the Hardy debdiff. Everything works, except the exploit.

Changed in newsbeuter:
status:	Triaged → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-29:

Thanks for the patch! Processing the hardy debdiff today.

Jamie Strandboge (jdstrand) on 2008-09-29

Changed in newsbeuter:
status:	In Progress → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-29:

0.9.1-1+lenny3 is in Intrepid now, and contains the patch to view.cpp

Changed in newsbeuter:
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-30:

newsbeuter (0.7-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted item URLS.
    - src/view.cpp: Escape single quotes in item URLs. Fixes arbitrary
      code execution. Patch from Debian.
    - References:
      + CVE-2008-3907