Dear users,
Jeriko One discovered a vulnerability that allows a remote attacker to
execute arbitrary code on your computer.
An attacker can craft an RSS item with shell code in the title and/or
URL. When you bookmark such an item, your shell will execute that code.
The vulnerability is triggered when `bookmark-cmd` is called; if you
abort bookmarking before that, you're safe.
Newsbeuter versions 0.7 through 2.9 are affected.
Workaround
==========
First of all, set `bookmark-autopilot` to `no` (that's the default.)
This gives you a chance to review inputs before executing your
`bookmark-cmd`.
Second, when bookmarking items, pay close attention to titles and URLs.
I can't possibly teach you how to recognize shell code in just a few
paragraphs, so if unsure, just don't bookmark the thing.
Resolution
==========
A fix has already been pushed to our Git repository:
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
I managed to get in touch with maintainers in AUR, Debian, FreeBSD and
Gentoo, so if you're running one of those, an update should arrive soon.
If you're running something else, I encourage you to find out who
maintains Newsbeuter for your distribution, contact them and point to
the aforementioned commit. They'll know what to do.
Call to security researchers
============================
If you discover a vulnerability, please disclose it to me privately at
eua...@gmail.com, preferably encrypting the message for PGP key
356961A20C8BFD03.
--
Regards,
Alexander Batischev
PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94 A00F 3569 61A2 0C8B FD03