The package newsbeuter before version 2.9-6.97 is vulnerable to arbitrary code execution.
If you use newsbeuter you should upgrade as soon as possible, or avoid bookmarking items until you upgrade.
Resolution
Upgrade to 2.9-6.97.
Code: Alles auswählen
# pacman -Syu “newsbeuter>=2.9-6.97”
Workaround
Don’t bookmark items.
Description
An attacker can craft an RSS item with shell code in the title and/or URL. When such an item is bookmarked, the shell will execute that code. The vulnerability is triggered when bookmark-cmd is called.
Impact
A remote attacker can execute an arbitrary command on the affected host by tricking a user into bookmarking a specially crafted RSS item.
References
https://github.com/akrennmair/newsbeuter/issues/591
https://groups.google.com/forum/#!topic ... FqSE7Vz-DE
https://security.archlinux.org/CVE-2017-12904
Quelle