CVE-2017-12904

NameCVE-2017-12904
DescriptionImproper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1061-1, DSA-3947-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
newsbeuter (PTS)wheezy2.5-2+deb7u1vulnerable
wheezy (security)2.5-2+deb7u3fixed
jessie2.8-2vulnerable
jessie (security)2.8-2+deb8u2fixed
stretch (security), stretch2.9-5+deb9u2fixed
buster, sid2.9-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
newsbeutersource(unstable)2.9-6high
newsbeutersourcejessie2.8-2+deb8u1highDSA-3947-1
newsbeutersourcestretch2.9-5+deb9u1highDSA-3947-1
newsbeutersourcewheezy2.5-2+deb7u2highDLA-1061-1

Notes

https://github.com/akrennmair/newsbeuter/issues/591
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

Search for package or bug name: Reporting problems