[CVE-2017-12904] Remote code execution

58 views
Skip to first unread message

Alexander Batischev

unread,
Aug 17, 2017, 4:47:02 PM8/17/17
to newsb...@googlegroups.com
Dear users,

Jeriko One discovered a vulnerability that allows a remote attacker to
execute arbitrary code on your computer.

An attacker can craft an RSS item with shell code in the title and/or
URL. When you bookmark such an item, your shell will execute that code.
The vulnerability is triggered when `bookmark-cmd` is called; if you
abort bookmarking before that, you're safe.

Newsbeuter versions 0.7 through 2.9 are affected.

Workaround
==========

First of all, set `bookmark-autopilot` to `no` (that's the default.)
This gives you a chance to review inputs before executing your
`bookmark-cmd`.

Second, when bookmarking items, pay close attention to titles and URLs.
I can't possibly teach you how to recognize shell code in just a few
paragraphs, so if unsure, just don't bookmark the thing.

Resolution
==========

A fix has already been pushed to our Git repository:
https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

I managed to get in touch with maintainers in AUR, Debian, FreeBSD and
Gentoo, so if you're running one of those, an update should arrive soon.
If you're running something else, I encourage you to find out who
maintains Newsbeuter for your distribution, contact them and point to
the aforementioned commit. They'll know what to do.

Call to security researchers
============================

If you discover a vulnerability, please disclose it to me privately at
eua...@gmail.com, preferably encrypting the message for PGP key
356961A20C8BFD03.

--
Regards,
Alexander Batischev

PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94 A00F 3569 61A2 0C8B FD03

signature.asc

Alexander Batischev

unread,
Aug 18, 2017, 7:15:00 AM8/18/17
to newsb...@googlegroups.com
Dear users,

The workaround I provided was wrong. The new one: don't use bookmarking
feature until you apply the fix.

The problem with the old workaround is that an item can have a long
title (longer than your screen width) and include the shell code *at the
end* of it. Since Newsbeuter puts the cursor at the beginning of the
line, you won't immediately see the shell code. So if you aren't careful
and don't examine the whole line, you will still execute the code. It's
better to play it safe and simply forgo bookmarking anything until your
Newsbeuter is fixed.

See this comment on our issue tracker for details:
https://github.com/akrennmair/newsbeuter/issues/591#issuecomment-323259469
signature.asc
Reply all
Reply to author
Forward
0 new messages