[CVE-2017-12904] Remote code execution #591
Description
Dear users,
Jeriko One discovered a vulnerability that allows a remote attacker to execute arbitrary code on your computer.
An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.
Newsbeuter versions 0.7 through 2.9 are affected.
Workaround
Update 2017.08.18: Do not use bookmarking until you apply the fix. See the comment below for details.
First of all, set bookmark-autopilot to no (that's the default.) This gives you a chance to review inputs before executing your bookmark-cmd.
Second, when bookmarking items, pay close attention to titles and URLs. I can't possibly teach you how to recognize shell code in just a few paragraphs, so if unsure, just don't bookmark the thing.
Resolution
A fix has already been pushed to our Git repository: 96e9506
I managed to get in touch with maintainers in AUR, Debian, FreeBSD and Gentoo, so if you're running one of those, an update should arrive soon. If you're running something else, I encourage you to find out who maintains Newsbeuter for your distribution, contact them and point to the aforementioned commit. They'll know what to do.
Call to security researchers
If you discover a vulnerability, please disclose it to me privately at eual.jp@gmail.com, preferably encrypting the message for PGP key 356961A20C8BFD03.
(This has also been posted on our mailing list).