Debian Bug report logs -
#876004
newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nikos Tsipinakis <nikos@tsipinakis.com>:
Bug#876004; Package src:newsbeuter.
(Sun, 17 Sep 2017 09:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nikos Tsipinakis <nikos@tsipinakis.com>.
(Sun, 17 Sep 2017 09:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: newsbeuter
Version: 2.8-2
Severity: grave
Tags: upstream patch security
Justification: user security hole
Forwarded: https://github.com/akrennmair/newsbeuter/issues/598
Hi,
the following vulnerability was published for newsbeuter.
CVE-2017-14500[0]:
| Improper Neutralization of Special Elements used in an OS Command in
| the podcast playback function of Podbeuter in Newsbeuter 0.3 through
| 2.9 allows remote attackers to perform user-assisted code execution by
| crafting an RSS item with a media enclosure (i.e., a podcast file) that
| includes shell metacharacters in its filename, related to
| pb_controller.cpp and queueloader.cpp, a different vulnerability than
| CVE-2017-12904.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
[1] https://github.com/akrennmair/newsbeuter/issues/598
[2] http://openwall.com/lists/oss-security/2017/09/16/1
[3] https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333
Regards,
Salvatore
Reply sent
to Nikos Tsipinakis <nikos@tsipinakis.com>:
You have taken responsibility.
(Mon, 18 Sep 2017 16:06:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Sep 2017 16:06:24 GMT) (full text, mbox, link).
Message #10 received at 876004-close@bugs.debian.org (full text, mbox, reply):
Source: newsbeuter
Source-Version: 2.9-7
We believe that the bug you reported is fixed in the latest version of
newsbeuter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876004@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nikos Tsipinakis <nikos@tsipinakis.com> (supplier of updated newsbeuter package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 22:28:04 +0300
Source: newsbeuter
Binary: newsbeuter
Architecture: source
Version: 2.9-7
Distribution: unstable
Urgency: high
Maintainer: Nikos Tsipinakis <nikos@tsipinakis.com>
Changed-By: Nikos Tsipinakis <nikos@tsipinakis.com>
Closes: 876004
Description:
newsbeuter - text mode rss feed reader with podcast support
Changes:
newsbeuter (2.9-7) unstable; urgency=high
.
* Fix CVE-2017-14500 (Closes: #876004)
* Update copyright year
* Bump standards to 4.0.1
+ Updated copyright-format URL to https as per policy 4.0.0
* Dropped version contraint in libstfl-dev dependency (No older versions in
the archive
Checksums-Sha1:
86a9ccb115886494c2c3802f594df9f3886358b8 2038 newsbeuter_2.9-7.dsc
09e0039ccaa3d017414b319189f822e5450efda4 27540 newsbeuter_2.9-7.debian.tar.xz
Checksums-Sha256:
8657054a88622747404c8ab85897f63905031acebb7392152c99e88d482a500a 2038 newsbeuter_2.9-7.dsc
46c7a13a3cdcf7fc6952704478c29b65f312b930d355fd952b89f49ffd00946f 27540 newsbeuter_2.9-7.debian.tar.xz
Files:
d9109a2a19bf0c50fa54aea88b219455 2038 net optional newsbeuter_2.9-7.dsc
296609f85de652688f120cc52b3e8025 27540 net optional newsbeuter_2.9-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlm/6+xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZy4BAAqDwpspusrSkn2M9SKqyHqLjydJpfI387gcCVATVfUBvzJHDKEFDbRLqZ
ISo6OvBTzX9jEF4/jBARzVh40hxg1EDQKtDSDKmoi3rPDQ/oBaPAWKFSwLnfUX4I
PbQDCV4VzOoAwyxxloeCib4KucMYcQS+gxUeWpZ/+1hEb7PEIZt9AT1f3Yt88vuP
2HqMKZWfWbVo6W47xag445uQuiAj5iw0ng3cJ7ztSlEd8uYtNCPTGtR8KoJ1J42E
jx7ueMNtfNOOtDXnN0Ka0YkJZ2n08emJz/qARmMJi1O062Phfdg8Ztv5BRFdMBIG
gYIScecpHFaqeSCjPBVGPrjiITSQWcQQcFdvapL8+2VYla4+mRqI07CBa2y/ehH3
8DJ95/Mowr4sqA0Ag0g9Er6ZAGOIthGXH7lb9rnv3cCUiDLhW/ERuIJLcTSXhM6E
02SXbv3hwQKGmmQSrCrMNm084nspiv9XYhCo63Qc6qtheQbk78ceLdsWLoHdukSX
0bR83OM1K9R4E5ifRGvIcv66hMWYibFAzRbzLhRSruCBI/80O3KivRVJAK5EX+x4
atn7R74riCO+DFck6W3ewV+kc6cX1QEDQcSyOAMdoZPcr2V9//UedXVERfK6rsyh
z0VacjGOzYdma0PeiLNglRop/rLycXfIjs5f0WmczxROlLNryBw=
=VFZm
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 23 Sep 2017 10:06:35 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Sep 2017 10:06:35 GMT) (full text, mbox, link).
Message #15 received at 876004-close@bugs.debian.org (full text, mbox, reply):
Source: newsbeuter
Source-Version: 2.9-5+deb9u2
We believe that the bug you reported is fixed in the latest version of
newsbeuter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876004@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated newsbeuter package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 14:58:20 +0200
Source: newsbeuter
Binary: newsbeuter
Architecture: source
Version: 2.9-5+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Nikos Tsipinakis <nikos@tsipinakis.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 876004
Description:
newsbeuter - text mode rss feed reader with podcast support
Changes:
newsbeuter (2.9-5+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Work around shell code in podcast names (CVE-2017-14500)
Remote code execution in podbeuter. (Closes: #876004)
Checksums-Sha1:
ef25279e5d1615f2eaf54c0b08d2a4789a1bcb16 2101 newsbeuter_2.9-5+deb9u2.dsc
c5dfa057bfff21892155a7744fd02c3318815ab4 26264 newsbeuter_2.9-5+deb9u2.debian.tar.xz
Checksums-Sha256:
b280354f47c5001cf8ff821ad1988333872ea096b2bcc82d12836a53ffc7e93a 2101 newsbeuter_2.9-5+deb9u2.dsc
0e7e0be698b887c5a4c9533430ba0d9303912f1ae00b4e93acfe11bb245f7013 26264 newsbeuter_2.9-5+deb9u2.debian.tar.xz
Files:
27612b469ab355dbc8f6184173c16774 2101 net optional newsbeuter_2.9-5+deb9u2.dsc
08b95c582abca0e4d428352cccaf920b 26264 net optional newsbeuter_2.9-5+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm+fgVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuPYP/Ar4g2xiQCgyBbFjSLFKx13YJNjdSBzH
wkrxU4Cfa3rgmYrSdmsSqLSWs1edHzqh4qb3PmkH9NG0pGu8naOXdmNwYC8acivz
NyangcX0N0f1e9KmSJLuqo+2859JwBr7oKbtUxZzih/ODbvylj5HIF1QjUoc6O1g
wTAvK93VULyKMY8VF38SYyFQ1mUi1Hi/kfcoLYk9+fV8tTcBt7n0DVd9dvoJxQJH
UToBa/58NkkvdhbF49a7aNSRNtmps4sNZtKp3CB4iZwsIG2OboKlWu4Uvs7yUP3o
R/h//htEliDQCN7YurCqKLU0PYYovLasZR+k64yrrVNt+iXY/3CUUVnzb9QlNee3
6ZNqrYQNWgB0wxXFzH0rG3X4XXB39yfZ8Igc94ULysm3faina0FwZEOPPmHITClF
Vqm+gD/zlnykMzZdMgi12clygoNwyw6uSwR/Rm0MqEr/h7/SZEvBTpUI2banelbp
ddDvQWQVDhQnUXLsltdkG4NuWCUcMaGCVj/HY6oD0bCVL1hK9UrCJXTd5xywxtR1
khAmybXcJ6wiGG8bXSmFeR+1SgN12VBmmIqS5+CDbsjcY753beytyhu/+SFSqp/z
Ut829pQwwUDFIxo6/hPPFe8J2Xlehbs6rG44bxX/eUl8ead59bzn5kHCw/BgxeoJ
HfaVbxjmo+vq
=kAB/
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 23 Sep 2017 11:36:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Sep 2017 11:36:18 GMT) (full text, mbox, link).
Message #20 received at 876004-close@bugs.debian.org (full text, mbox, reply):
Source: newsbeuter
Source-Version: 2.8-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
newsbeuter, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876004@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated newsbeuter package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 16:55:08 +0200
Source: newsbeuter
Binary: newsbeuter newsbeuter-dbg
Architecture: source
Version: 2.8-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Nico Golde <nion@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 876004
Description:
newsbeuter - text mode rss feed reader with podcast support
newsbeuter-dbg - debugging symbols for newsbeuter
Changes:
newsbeuter (2.8-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Work around shell code in podcast names (CVE-2017-14500)
Remote code execution in podbeuter. (Closes: #876004)
Checksums-Sha1:
0cb92bcc9e7d325369b878af0681560f4dd0a6c2 2082 newsbeuter_2.8-2+deb8u2.dsc
dd95126da1a52eb34447a7e5783651799095b046 7632 newsbeuter_2.8-2+deb8u2.debian.tar.xz
Checksums-Sha256:
907af9c8f1503d5cc2e004a34122e5efa106ba64c0296dedb97beaf71637c23d 2082 newsbeuter_2.8-2+deb8u2.dsc
3835384ce14a4039bfb44e724cd54da6f1c8782257eb072175b9d37f0078a35c 7632 newsbeuter_2.8-2+deb8u2.debian.tar.xz
Files:
8d2d56cde178654e225e1068a711332c 2082 net optional newsbeuter_2.8-2+deb8u2.dsc
3e5ecf0f0c192d77f054b2a6e4558391 7632 net optional newsbeuter_2.8-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm+jqVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EhFwP/1LeR+AWjxf2O0QnqeXHHRAOE3rxk/u7
a3xtOLSzHYvJJcfuI0TwPz5oHHJ1o+Dk3pe342hHvwnalpxgCUqcf+bd/r81koll
rd62yNen8fdNpczOdlJNLTwty5Ur1S28igChBxSYIZewFpKirm2O6LQQGbQZugEo
tB+mNgVz3tlbRDGZuOhsS/Td0PU20ZZp/ERaZ8TxKJ9OfniZfzG72y9wOJH+BM3K
ZIboObF1LEj53y9j/7lrb/EY7Z+zax9eDIx8lzHFUbDvixMoFCc8scfhrMMX7LtD
B0UuIQtXnZ48gSZDA2BSy2KNz1vRE6EiNLfAjL81gUfj5AJOGuXf93bTO46PQo6B
6zhx3U/CMhKEVxVd3EfQ2NwNtHvVd3equoDzlO/DDfN81n+V9aGi/0IGRfO0hJlK
SjZW+0gjB7pjcynyKrRkv0EXbdLv87LbIJdYJyeE6WIwDk5rm6LYtBvDPbD3Qc6m
so6WIJ6NaVbkq8EXoo+ylcNpJW5xTGgy87AniI0tfX6q0xzMq8CnYKj2ZHDYRYST
MWMXZ8PiV8C4n5LQoAmJHQKuN2JCO2alv/ZBY+tInOKQseQnOiMuVkRvMnD8YCWa
+J4AZFv3eOk4va5t6mDw1cP8agqQJwgI0JBdR3gbtRYcTxMvOlyEYgmqkJDe7Mjb
UwBtjLdd0i8m
=5P++
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 22 Oct 2017 07:25:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon