GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Mon Sep 22, 2008 8:26 pm Post subject: [ GLSA 200809-12 ] Newsbeuter: User-assisted execution of ar |
 |
|
Gentoo Linux Security Advisory
Title: Newsbeuter: User-assisted execution of arbitrary code (GLSA 200809-12)
Severity: normal
Exploitable: remote
Date: September 22, 2008
Bug(s): #236506
ID: 200809-12
Synopsis
Insufficient input validation in newsbeuter may allow remote attackers to execute arbitrary shell commands.
Background
Newsbeuter is a RSS/Atom feed reader for the text console.
Affected Packages
Package: net-news/newsbeuter
Vulnerable: < 1.2
Unaffected: >= 1.2
Architectures: All supported architectures
Description
J.H.M. Dassen reported that the open-in-browser command does not properly escape shell metacharacters in the URL before passing it to system().
Impact
A remote attacker could entice a user to open a feed with specially crafted URLs, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running the application.
Workaround
There is no known workaround at this time.
Resolution
All Newsbeuter users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-news/newsbeuter-1.2" |
References
CVE-2008-3907 |
|
News & Announcements
