Re: CVE id request: newsbeuter

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
* Nico Golde <oss-security+ml () ngolde de> [2008-09-01 12:09]:
> newsbeuter (http://www.newsbeuter.org) 1.1 fixes a security 
> issue that was discovered by J.H.M. Dassen (Ray) and is 
> fixed in svn revision 1429.
>
> The previous version allowed to execute arbitrary code by a 
> crafted feed URL that is passed as a command line parameter 
> if the URL is opened by an external browser.
>
> Upstream changelog:
>  1.1:
>         Added a line wrap for the article view's headers and the link list on the bottom (fixes Debian issue #491122)
>         Added test suite for functional tests of the user interface
>         Fixed quoting issue in open-in-browser command
>         ^^^^^
>
> This issue should affect all newsbeuter versions < 1.1.

Update, it also affects 1.1, the fix is not sufficient, see 
Debian bug #497495. r1445 and r1447 is needed as an 
additional fix which now replaces all ' by their hex 
representations so this affects < 1.2.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: