1 files changed, 20 insertions, 0 deletions

diff --git a/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch b/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch
new file mode 100644
index 000000000000..5e7b39a5f20f
--- /dev/null
+++ b/net-news/newsbeuter/files/newsbeuter-2.9-security-fix.patch
@@ -0,0 +1,20 @@
+Newsbeuter didn't properly shell-escape the arguments passed to bookmarking
+command, which allows a remote attacker to perform remote code execution by
+crafting an RSS item whose title and/or URL contain something interpretable by
+the shell (most notably subshell invocations.)
+
+--- a/src/controller.cpp
++++ b/src/controller.cpp
+@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl
+ 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
+ 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
+ 	if (bookmark_cmd.length() > 0) {
+-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
++		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
+ 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
+-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
++		                                       utils::replace_all(title,"'", "%27").c_str(),
++		                                       utils::replace_all(description,"'", "%27").c_str());
+ 
+ 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
+