CVE-2017-12904

NameCVE-2017-12904
DescriptionImproper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1061-1, DSA-3947-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
newsbeuter (PTS)buster2.9-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
newsbeutersourcewheezy2.5-2+deb7u2DLA-1061-1
newsbeutersourcejessie2.8-2+deb8u1DSA-3947-1
newsbeutersourcestretch2.9-5+deb9u1DSA-3947-1
newsbeutersource(unstable)2.9-6

Notes

https://github.com/akrennmair/newsbeuter/issues/591
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
Search for package or bug name: Reporting problems