This repository has been archived by the owner on Oct 10, 2019. It is now read-only.
[CVE-2017-14500] Remote code execution in Podebuter #598
Labels
Comments
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Sep 16, 2017
Reported by: tj <[email protected]> Obtained from: akrennmair/newsbeuter#598 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@449974 35697150-7ecd-e111-bb59-0022644237b5
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Sep 16, 2017
Reported by: tj <[email protected]> Obtained from: akrennmair/newsbeuter#598
|
This issue has been assigned CVE-2017-14500 |
Minoru
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Dear users,
On the heels of the previous vulnerability we have a similar one in Podbeuter, discovered by @noctux.
An attacker can craft an RSS item where the name of media enclosure (the podcast file) contains shell code. When user plays the file in Podbeuter, the shell code will be executed. If you're using Podbeuter only to download podcasts, not play them, you're safe.
Podbeuter versions 0.3 through 2.9 are affected.
I'm still waiting for CVE. (Submitted a request to MITRE on August 27th, pinged them on September 9th, but got nothing back.)
Workaround
Don't play any podcasts in Podbeuter until you apply the fix.
Resolution
A fix has already been pushed to our Git repository: c8fea2f
A patch for 2.9 is also available: 26f5a43
I'll notify [email protected], so distributions ought to pick this up soon enough.
The text was updated successfully, but these errors were encountered: