Jeriko One discovered a vulnerability that allows a remote attacker to
execute arbitrary code on your computer.
An attacker can craft an RSS item with shell code in the title and/or
URL. When you bookmark such an item, your shell will execute that code.
The vulnerability is triggered when `bookmark-cmd` is called; if you
abort bookmarking before that, you're safe.
Newsbeuter versions 0.7 through 2.9 are affected.
First of all, set `bookmark-autopilot` to `no` (that's the default.)
This gives you a chance to review inputs before executing your
Second, when bookmarking items, pay close attention to titles and URLs.
I can't possibly teach you how to recognize shell code in just a few
paragraphs, so if unsure, just don't bookmark the thing.
A fix has already been pushed to our Git repository:
I managed to get in touch with maintainers in AUR, Debian, FreeBSD and
Gentoo, so if you're running one of those, an update should arrive soon.
If you're running something else, I encourage you to find out who
maintains Newsbeuter for your distribution, contact them and point to
the aforementioned commit. They'll know what to do.
Call to security researchers
If you discover a vulnerability, please disclose it to me privately at
, preferably encrypting the message for PGP key
PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94 A00F 3569 61A2 0C8B FD03