diff options
author | Benjamin Trigona-Harany <bosth@alumni.sfu.ca> | 2017-09-17 05:38:25 -0700 |
---|---|---|
committer | Benjamin Trigona-Harany <bosth@alumni.sfu.ca> | 2017-09-17 05:38:25 -0700 |
commit | 53c4653df278222051b241c49b907e116fa6fd8f (patch) | |
tree | 4acfc32d204b2271a99c5219747041dcc72ae3f8 | |
parent | ef549ae018e780c831c0f77c98c3d312f413d8e5 (diff) |
network/newsbeuter: Patch remote code execution vulnerability.
Signed-off-by: Benjamin Trigona-Harany <bosth@alumni.sfu.ca>
-rw-r--r-- | network/newsbeuter/newsbeuter-2.9-cve-2017-14500-fix.patch | 30 | ||||
-rw-r--r-- | network/newsbeuter/newsbeuter.SlackBuild | 3 |
2 files changed, 32 insertions, 1 deletions
diff --git a/network/newsbeuter/newsbeuter-2.9-cve-2017-14500-fix.patch b/network/newsbeuter/newsbeuter-2.9-cve-2017-14500-fix.patch new file mode 100644 index 0000000000000..051a2ba915a20 --- /dev/null +++ b/network/newsbeuter/newsbeuter-2.9-cve-2017-14500-fix.patch @@ -0,0 +1,30 @@ +diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp +index 09b5e897..213216cd 100644 +--- a/src/pb_controller.cpp ++++ b/src/pb_controller.cpp +@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) { + if (player == "") + return; + cmdline.append(player); +- cmdline.append(" \""); +- cmdline.append(utils::replace_all(file,"\"", "\\\"")); +- cmdline.append("\""); ++ cmdline.append(" \'"); ++ cmdline.append(utils::replace_all(file,"'", "%27")); ++ cmdline.append("\'"); + stfl::reset(); + LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); + ::system(cmdline.c_str()); +diff --git a/src/queueloader.cpp b/src/queueloader.cpp +index c1dabdd8..ae725e04 100644 +--- a/src/queueloader.cpp ++++ b/src/queueloader.cpp +@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) { + strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); + fn.append(lbuf); + } else { +- fn.append(base); ++ fn.append(utils::replace_all(base, "'", "%27")); + } + return fn; + } diff --git a/network/newsbeuter/newsbeuter.SlackBuild b/network/newsbeuter/newsbeuter.SlackBuild index 11a02ac10f507..d91d126675b2a 100644 --- a/network/newsbeuter/newsbeuter.SlackBuild +++ b/network/newsbeuter/newsbeuter.SlackBuild @@ -7,7 +7,7 @@ PRGNAM=newsbeuter VERSION=${VERSION:-2.9} -BUILD=${BUILD:-3} +BUILD=${BUILD:-4} TAG=${TAG:-_SBo} case "$( uname -m )" in @@ -53,6 +53,7 @@ find -L . \ patch -p1 < $CWD/newsbeuter-2.9-security-fix.patch patch -p1 < $CWD/newsbeuter-2.9-ncursesw-fix.patch patch -p1 < $CWD/newsbeuter-2.9-segfault-fix.patch +patch -p1 < $CWD/newsbeuter-2.9-cve-2017-14500-fix.patch CXXFLAGS="$SLKCFLAGS" \ make \ |