From ae6b8912bae084921b36d6176bbc0181f08441a3 Mon Sep 17 00:00:00 2001 From: Tim Harder Date: Thu, 24 Aug 2017 05:20:00 -0400 Subject: net-news/newsbeuter: apply security fix for bug #628796 --- .../files/newsbeuter-2.9-security-fix.patch | 20 ++++++ net-news/newsbeuter/newsbeuter-2.9-r3.ebuild | 76 ++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch create mode 100644 net-news/newsbeuter/newsbeuter-2.9-r3.ebuild (limited to 'net-news') diff --git a/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch b/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch new file mode 100644 index 000000000000..5e7b39a5f20f --- /dev/null +++ b/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch @@ -0,0 +1,20 @@ +Newsbeuter didn't properly shell-escape the arguments passed to bookmarking +command, which allows a remote attacker to perform remote code execution by +crafting an RSS item whose title and/or URL contain something interpretable by +the shell (most notably subshell invocations.) + +--- a/src/controller.cpp ++++ b/src/controller.cpp +@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl + std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); + bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); + if (bookmark_cmd.length() > 0) { +- std::string cmdline = utils::strprintf("%s '%s' %s %s", ++ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", + bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), +- stfl::quote(title).c_str(), stfl::quote(description).c_str()); ++ utils::replace_all(title,"'", "%27").c_str(), ++ utils::replace_all(description,"'", "%27").c_str()); + + LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); + diff --git a/net-news/newsbeuter/newsbeuter-2.9-r3.ebuild b/net-news/newsbeuter/newsbeuter-2.9-r3.ebuild new file mode 100644 index 000000000000..1145dfbfbfc5 --- /dev/null +++ b/net-news/newsbeuter/newsbeuter-2.9-r3.ebuild @@ -0,0 +1,76 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/akrennmair/newsbeuter.git" +else + KEYWORDS="~amd64 ~ppc ~x86" + SRC_URI="http://www.newsbeuter.org/downloads/${P}.tar.gz" +fi + +inherit toolchain-funcs + +DESCRIPTION="A RSS/Atom feed reader for the text console" +HOMEPAGE="http://www.newsbeuter.org/index.html" + +LICENSE="MIT" +SLOT="0" +IUSE="test" + +RDEPEND=" + >=dev-db/sqlite-3.5:3 + >=dev-libs/stfl-0.21 + >=net-misc/curl-7.18.0 + >=dev-libs/json-c-0.11:= + dev-libs/libxml2 + sys-libs/ncurses:0=[unicode] +" +DEPEND="${RDEPEND} + dev-lang/perl + virtual/pkgconfig + sys-devel/gettext + test? ( + dev-libs/boost + sys-devel/bc + ) +" +[[ ${PV} == 9999 ]] && DEPEND+=" app-text/asciidoc" + +# tests require network access +RESTRICT="test" + +PATCHES=( + "${FILESDIR}"/${PN}-2.9-ncurses6.patch + "${FILESDIR}"/${PN}-2.9-fix-mem-leak.patch + "${FILESDIR}"/${PN}-2.9-fix-segfault.patch + "${FILESDIR}"/${PN}-2.9-security-fix.patch +) + +src_prepare() { + default + sed -i 's:-ggdb::' Makefile || die +} + +src_configure() { + ./config.sh || die +} + +src_compile() { + emake prefix="/usr" CXX="$(tc-getCXX)" AR="$(tc-getAR)" RANLIB="$(tc-getRANLIB)" + [[ ${PV} == 9999 ]] && emake doc +} + +src_test() { + emake test + # Tests fail if in ${S} rather than in ${S}/test + cd "${S}"/test || die + ./test || die +} + +src_install() { + emake DESTDIR="${D}" prefix="/usr" docdir="/usr/share/doc/${PF}" install + dodoc AUTHORS README CHANGES +} -- cgit v1.2.3-65-gdbad