diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/newsbeuter-CVE-2017-14500.patch | 43 | ||||
-rw-r--r-- | gnu/packages/syndication.scm | 5 |
3 files changed, 47 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index bdd49c6182..0b84a72fa6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -883,6 +883,7 @@ dist_patch_DATA = \ %D%/packages/patches/netsurf-y2038-tests.patch \ %D%/packages/patches/netsurf-longer-test-timeout.patch \ %D%/packages/patches/newsbeuter-CVE-2017-12904.patch \ + %D%/packages/patches/newsbeuter-CVE-2017-14500.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch new file mode 100644 index 0000000000..449105e42a --- /dev/null +++ b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch @@ -0,0 +1,43 @@ +https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 + +From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001 +From: Alexander Batischev <eual.jp@gmail.com> +Date: Sat, 16 Sep 2017 19:31:43 +0300 +Subject: [PATCH] Work around shell code in podcast names (#598) + +--- + src/pb_controller.cpp | 6 +++--- + src/queueloader.cpp | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp +index 09b5e897..213216cd 100644 +--- a/src/pb_controller.cpp ++++ b/src/pb_controller.cpp +@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) { + if (player == "") + return; + cmdline.append(player); +- cmdline.append(" \""); +- cmdline.append(utils::replace_all(file,"\"", "\\\"")); +- cmdline.append("\""); ++ cmdline.append(" \'"); ++ cmdline.append(utils::replace_all(file,"'", "%27")); ++ cmdline.append("\'"); + stfl::reset(); + LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); + ::system(cmdline.c_str()); +diff --git a/src/queueloader.cpp b/src/queueloader.cpp +index c1dabdd8..ae725e04 100644 +--- a/src/queueloader.cpp ++++ b/src/queueloader.cpp +@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) { + strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); + fn.append(lbuf); + } else { +- fn.append(base); ++ fn.append(utils::replace_all(base, "'", "%27")); + } + return fn; + } diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm index 80c45c396c..8ac0524fc6 100644 --- a/gnu/packages/syndication.scm +++ b/gnu/packages/syndication.scm @@ -1,4 +1,4 @@ -;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by @@ -38,7 +38,8 @@ (method url-fetch) (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-" version ".tar.gz")) - (patches (search-patches "newsbeuter-CVE-2017-12904.patch")) + (patches (search-patches "newsbeuter-CVE-2017-12904.patch" + "newsbeuter-CVE-2017-14500.patch")) (sha256 (base32 "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l")))) |