CVE-2017-14500

Name	CVE-2017-14500
Description	Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1104-1, DSA-3977-1
Debian Bugs	876004

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
newsbeuter	source	wheezy	2.5-2+deb7u3	DLA-1104-1
newsbeuter	source	jessie	2.8-2+deb8u2	DSA-3977-1
newsbeuter	source	stretch	2.9-5+deb9u2	DSA-3977-1
newsbeuter	source	(unstable)	2.9-7		876004

Notes

http://openwall.com/lists/oss-security/2017/09/16/1
newsbeuter-2.9.x: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333
master: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260
https://github.com/akrennmair/newsbeuter/issues/598