Skip to content
This repository was archived by the owner on Oct 10, 2019. It is now read-only.
This repository was archived by the owner on Oct 10, 2019. It is now read-only.

[CVE-2017-14500] Remote code execution in Podebuter #598

Open
@Minoru

Description

@Minoru

Dear users,

On the heels of the previous vulnerability we have a similar one in Podbeuter, discovered by @noctux.

An attacker can craft an RSS item where the name of media enclosure (the podcast file) contains shell code. When user plays the file in Podbeuter, the shell code will be executed. If you're using Podbeuter only to download podcasts, not play them, you're safe.

Podbeuter versions 0.3 through 2.9 are affected.

I'm still waiting for CVE. (Submitted a request to MITRE on August 27th, pinged them on September 9th, but got nothing back.)

Workaround

Don't play any podcasts in Podbeuter until you apply the fix.

Resolution

A fix has already been pushed to our Git repository: c8fea2f

A patch for 2.9 is also available: 26f5a43

I'll notify oss-security@lists.openwall.com, so distributions ought to pick this up soon enough.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions