aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/newsbeuter-CVE-2017-14500.patch43
-rw-r--r--gnu/packages/syndication.scm5
3 files changed, 47 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index bdd49c6182..0b84a72fa6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -883,6 +883,7 @@ dist_patch_DATA = \
%D%/packages/patches/netsurf-y2038-tests.patch \
%D%/packages/patches/netsurf-longer-test-timeout.patch \
%D%/packages/patches/newsbeuter-CVE-2017-12904.patch \
+ %D%/packages/patches/newsbeuter-CVE-2017-14500.patch \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
new file mode 100644
index 0000000000..449105e42a
--- /dev/null
+++ b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
@@ -0,0 +1,43 @@
+https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
+
+From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
+From: Alexander Batischev <eual.jp@gmail.com>
+Date: Sat, 16 Sep 2017 19:31:43 +0300
+Subject: [PATCH] Work around shell code in podcast names (#598)
+
+---
+ src/pb_controller.cpp | 6 +++---
+ src/queueloader.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp
+index 09b5e897..213216cd 100644
+--- a/src/pb_controller.cpp
++++ b/src/pb_controller.cpp
+@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) {
+ if (player == "")
+ return;
+ cmdline.append(player);
+- cmdline.append(" \"");
+- cmdline.append(utils::replace_all(file,"\"", "\\\""));
+- cmdline.append("\"");
++ cmdline.append(" \'");
++ cmdline.append(utils::replace_all(file,"'", "%27"));
++ cmdline.append("\'");
+ stfl::reset();
+ LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
+ ::system(cmdline.c_str());
+diff --git a/src/queueloader.cpp b/src/queueloader.cpp
+index c1dabdd8..ae725e04 100644
+--- a/src/queueloader.cpp
++++ b/src/queueloader.cpp
+@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) {
+ strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
+ fn.append(lbuf);
+ } else {
+- fn.append(base);
++ fn.append(utils::replace_all(base, "'", "%27"));
+ }
+ return fn;
+ }
diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm
index 80c45c396c..8ac0524fc6 100644
--- a/gnu/packages/syndication.scm
+++ b/gnu/packages/syndication.scm
@@ -1,4 +1,4 @@
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
@@ -38,7 +38,8 @@
(method url-fetch)
(uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
version ".tar.gz"))
- (patches (search-patches "newsbeuter-CVE-2017-12904.patch"))
+ (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
+ "newsbeuter-CVE-2017-14500.patch"))
(sha256
(base32
"1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))